[JENKINS:SECURITY-3102] HTML injection vulnerability in `aws-codecommit-trigger`
Severity
Medium
Affected Packages
2
CVEs
1
aws-codecommit-trigger
3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message.
This results in an HTML injection vulnerability.
NOTE: Since Jenkins 2.275 and LTS 2.263.2, a link:/doc/upgrade-guide/2.263/#formvalidation[security hardening] for form validation responses prevents JavaScript execution, so no scripts can be injected.
As of publication of this advisory, there is no fix.
Package | Affected Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/aws-codecommit-trigger | <= 3.0.12 |
pkg:github/jenkinsci/aws-codecommit-trigger-plugin | <= 3.0.12 |
- ID
- JENKINS:SECURITY-3102
- Severity
- medium
- Published
-
2023-09-06T00:00:00
(12 months ago) - Modified
-
2023-09-06T00:00:00
(12 months ago) - Rights
- Jenkins Security Team
- Other Advisories
Source | # ID | Name | URL |
---|---|---|---|
Plugin repository | aws-codecommit-trigger repository | https://github.com/jenkinsci/aws-codecommit-trigger-plugin |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.jenkins-ci.plugins/aws-codecommit-trigger | org.jenkins-ci.plugins | aws-codecommit-trigger | <= 3.0.12 | |||
Affected | pkg:github/jenkinsci/aws-codecommit-trigger-plugin | jenkinsci | aws-codecommit-trigger-plugin | <= 3.0.12 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |