CVE-2022-46686 – io.jenkins.plugins:custom-build-properties

Package

Manager: maven
Name: io.jenkins.plugins:custom-build-properties
Vulnerable Version: >=0 <2.82.v16d5b

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.03172 pctl0.86434

Details

Jenkins Custom Build Properties Plugin vulnerable to Cross-site Scripting Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values. Custom Build Properties Plugin 2.82.v16d5b_d3590c7 escapes property values and build display names on the Custom Build Properties and Build Summary pages.

Metadata

Created: 2022-12-12T09:30:35Z
Modified: 2022-12-12T22:16:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-5g2c-j6v9-vf94/GHSA-5g2c-j6v9-vf94.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-5g2c-j6v9-vf94
Finding: F425
Auto approve: 1