[MAVEN:GHSA-JWHM-9CJM-4493] Cross-site Scripting in Jenkins Dashboard View Plugin

Severity Moderate

Affected Packages 2

Fixed Packages 2

CVEs 1

Jenkins Dashboard View Plugin prior to 2.16 and 2.12.1 does not escape URLs referenced in Image Dashboard Portlets, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.

As part of this fix, the property for image URLs was changed from url to imageUrl. Existing Configuration as Code configurations are still supported, but exports will emit the new property.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/dashboard-view	< 2.12.1
pkg:maven/org.jenkins-ci.plugins/dashboard-view	>= 2.13, < 2.16

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/dashboard-view	= 2.12.1
pkg:maven/org.jenkins-ci.plugins/dashboard-view	= 2.16

ID

MAVEN:GHSA-JWHM-9CJM-4493

Severity

moderate

URL

https://github.com/advisories/GHSA-jwhm-9cjm-4493

Published

2021-06-16T17:24:41
(3 years ago)

Modified

2023-12-27T15:26:01
(8 months ago)

Rights

Maven Security Team

Other Advisories

JENKINS:SECURITY-2233

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2021-21649
			https://www.jenkins.io/security/advisory/2021-05-11/#SECURITY-2233
			https://github.com/CVEProject/cvelist/blob/2d78eb36f4d084db7fb35f1535d8d84fdcb7d859/2021/21xxx/CVE-2021-21649.json
			https://github.com/jenkinsci/dashboard-view-plugin/commit/586817b081d903e47cfdd05b96b8aae1d2c2700b
			https://github.com/advisories/GHSA-jwhm-9cjm-4493

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.plugins/dashboard-view	org.jenkins-ci.plugins	dashboard-view	< 2.12.1
Fixed	pkg:maven/org.jenkins-ci.plugins/dashboard-view	org.jenkins-ci.plugins	dashboard-view	= 2.12.1
Affected	pkg:maven/org.jenkins-ci.plugins/dashboard-view	org.jenkins-ci.plugins	dashboard-view	>= 2.13 < 2.16
Fixed	pkg:maven/org.jenkins-ci.plugins/dashboard-view	org.jenkins-ci.plugins	dashboard-view	= 2.16

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date