CVE-2022-36905 – eu.markov.jenkins.plugin.mvnmeta:maven-metadata-plugin

Package

Manager: maven
Name: eu.markov.jenkins.plugin.mvnmeta:maven-metadata-plugin
Vulnerable Version: >=0 <=2.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00808 pctl0.73317

Details

Stored XSS vulnerability in Jenkins Maven Metadata Plugin for Jenkins CI server plugin Maven Metadata Plugin for Jenkins CI server Plugin 2.2 and earlier does not perform URL validation for the Repository Base URL of List maven artifact versions parameters. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Metadata

Created: 2022-07-28T00:00:42Z
Modified: 2022-12-12T16:09:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-8294-mv9c-7m5h/GHSA-8294-mv9c-7m5h.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-8294-mv9c-7m5h
Finding: F425
Auto approve: 1