CVE-2022-27197 – org.jenkins-ci.plugins:dashboard-view

Package

Manager: maven
Name: org.jenkins-ci.plugins:dashboard-view
Vulnerable Version: >=0 <2.18.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01495 pctl0.80372

Details

Stored Cross-site Scripting vulnerability in Jenkins Dashboard View Plugin Jenkins Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure views. Dashboard View Plugin 2.18.1 performs URL validation for the Iframe Portlet’s Iframe source URL. Additionally, Dashboard View Plugin 2.18.1 sets the sandbox attribute for the iframe to restrict the included page. In case of problems, the [Java system property](https://www.jenkins.io/doc/book/managing/system-properties/) `hudson.plugins.view.dashboard.core.IframePortlet.sandboxAttributeValue` can be used to customize the sandbox attribute value. The Java system property `hudson.plugins.view.dashboard.core.IframePortlet.doNotUseSandbox` can be used to disable the sandbox completely.

Metadata

Created: 2022-03-16T00:00:45Z
Modified: 2023-10-27T16:59:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-6fg4-36v7-xv32/GHSA-6fg4-36v7-xv32.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-6fg4-36v7-xv32
Finding: F425
Auto approve: 1