CVE-2022-30970 – org.jenkins-ci.plugins:autocomplete-parameter

Package

Manager: maven
Name: org.jenkins-ci.plugins:autocomplete-parameter
Vulnerable Version: >=0 <=1.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.31598 pctl0.9665

Details

Cross-site Scripting in Jenkins Autocomplete Parameter Plugin Jenkins Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. While this looks similar to SECURITY-2729, this is an independent problem and exploitable even on views rendering parameters that otherwise attempt to prevent XSS vulnerabilities in parameter names.

Metadata

Created: 2022-05-18T00:00:42Z
Modified: 2022-12-02T20:09:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cj9j-v8jp-6hm9/GHSA-cj9j-v8jp-6hm9.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-cj9j-v8jp-6hm9
Finding: F425
Auto approve: 1