[JENKINS:SECURITY-2765] Stored XSS vulnerability in `jobConfigHistory`

Severity High

Affected Packages 2

Fixed Packages 2

CVEs 1

jobConfigHistory 1165.v8cc9fd1f4597 and earlier does not escape the job name on the System Configuration History page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure job names.

jobConfigHistory 1166.vc9f255f45b_8a escapes the job name on the System Configuration History page.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/jobConfigHistory	<= 1165.v8cc9fd1f4597
pkg:github/jenkinsci/jobconfighistory-plugin	<= 1165.v8cc9fd1f4597

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/jobConfigHistory	= 1166.vc9f255f45b_8a
pkg:github/jenkinsci/jobconfighistory-plugin	= 1166.vc9f255f45b_8a

ID

JENKINS:SECURITY-2765

Severity

high

Published

2022-08-23T00:00:00
(2 years ago)

Modified

2022-08-23T00:00:00
(2 years ago)

Rights

Jenkins Security Team

Other Advisories

Source	# ID	Name	URL
Plugin repository		jobConfigHistory repository	https://github.com/jenkinsci/jobConfigHistory-plugin

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.plugins/jobConfigHistory	org.jenkins-ci.plugins	jobConfigHistory	<= 1165.v8cc9fd1f4597
Fixed	pkg:maven/org.jenkins-ci.plugins/jobConfigHistory	org.jenkins-ci.plugins	jobConfigHistory	= 1166.vc9f255f45b_8a
Affected	pkg:github/jenkinsci/jobconfighistory-plugin	jenkinsci	jobconfighistory-plugin	<= 1165.v8cc9fd1f4597
Fixed	pkg:github/jenkinsci/jobconfighistory-plugin	jenkinsci	jobconfighistory-plugin	= 1166.vc9f255f45b_8a

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date