CVE-2022-34791 – io.jenkins.plugins:validating-email-parameter

Package

Manager: maven
Name: io.jenkins.plugins:validating-email-parameter
Vulnerable Version: >=0 <=1.10

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.14252 pctl0.94153

Details

Cross-site Scripting in Jenkins Validating Email Parameter Plugin Jenkins Validating Email Parameter Plugin 1.10 and earlier does not escape the name and description of its parameter type. Additionally, it disables the security hardening added in Jenkins 2.44 and LTS 2.32.2 as part of the [SECURITY-353 / CVE-2017-2601](https://www.jenkins.io/security/advisory/2017-02-01/#persisted-cross-site-scripting-vulnerability-in-parameter-names-and-descriptions) fix that protects the \"Build With Parameters\" and \"Parameters\" pages from vulnerabilities like this by default. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Metadata

Created: 2022-07-01T00:01:07Z
Modified: 2022-12-12T18:28:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-hqmp-vxj7-5wpq/GHSA-hqmp-vxj7-5wpq.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-hqmp-vxj7-5wpq
Finding: F425
Auto approve: 1