Stored Cross-Site Scripting in Jenkins JUnit Plugin by Jenkins
CVE-2022-45380

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Junit Plugin
Vendor: CVE Published:; 15 November 2022

Summary

The Jenkins JUnit Plugin prior to version 1159.v0b_396e1e07dd contains a vulnerability that allows attackers with Item/Configure permission to inject malicious scripts through test report output. This issue arises from the plugin's improper handling of HTTP(S) URLs, converting them to clickable links without adequate sanitization, thus exposing users to potential exploits. It is crucial for administrators to assess and upgrade their systems accordingly to prevent unauthorized access and maintain the integrity of the Jenkins environment.

Affected Version(s)

Jenkins JUnit Plugin <= 1159.v0b_396e1e07dd

Jenkins JUnit Plugin 1143.1145.v81b_b_9579a_019

Jenkins JUnit Plugin 1119.1122.v750e65d31b_db_

References

https://www.jenkins.io/security/advisory/2022-11-15/#SECU...

http://www.openwall.com/lists/oss-security/2022/11/15/4

mailing-list

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 15, 2022
Vulnerability Reserved
Nov 14, 2022