1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-3102

[JENKINS:SECURITY-3102] HTML injection vulnerability in `aws-codecommit-trigger`

Severity Medium
Affected Packages 2
CVEs 1
Info Packages References Vulnerabilities

aws-codecommit-trigger 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message.

This results in an HTML injection vulnerability.

NOTE: Since Jenkins 2.275 and LTS 2.263.2, a link:/doc/upgrade-guide/2.263/#formvalidation[security hardening] for form validation responses prevents JavaScript execution, so no scripts can be injected.

As of publication of this advisory, there is no fix.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/aws-codecommit-trigger <= 3.0.12
pkg:github/jenkinsci/aws-codecommit-trigger-plugin <= 3.0.12
ID
JENKINS:SECURITY-3102
Severity
medium
Published
2023-09-06T00:00:00
(12 months ago)
Modified
2023-09-06T00:00:00
(12 months ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository aws-codecommit-trigger repository https://github.com/jenkinsci/aws-codecommit-trigger-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/aws-codecommit-trigger org.jenkins-ci.plugins aws-codecommit-trigger <= 3.0.12
Affected pkg:github/jenkinsci/aws-codecommit-trigger-plugin jenkinsci aws-codecommit-trigger-plugin <= 3.0.12
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date