[MAVEN:GHSA-Q6Q9-83XW-MP6P] Improper Neutralization of Input During Web Page Generation in Jenkins

Severity Moderate

Affected Packages 2

Fixed Packages 2

CVEs 1

In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents.

Package	Affected Version
pkg:maven/org.jenkins-ci.main/jenkins-core	>= 2.177, <= 2.196
pkg:maven/org.jenkins-ci.main/jenkins-core	<= 2.176.3

Package	Fixed Version
pkg:maven/org.jenkins-ci.main/jenkins-core	= 2.197
pkg:maven/org.jenkins-ci.main/jenkins-core	= 2.176.4

ID

MAVEN:GHSA-Q6Q9-83XW-MP6P

Severity

moderate

URL

https://github.com/advisories/GHSA-q6q9-83xw-mp6p

Published

2022-05-24T22:00:43
(2 years ago)

Modified

2023-12-19T10:23:55
(9 months ago)

Rights

Maven Security Team

Other Advisories

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2019-10402
			https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1525
			http://www.openwall.com/lists/oss-security/2019/09/25/3
			https://github.com/jenkinsci/jenkins/commit/00064be3661e687da7215523a3ed9a37a85f51a3
			https://github.com/advisories/GHSA-q6q9-83xw-mp6p

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	>= 2.177 <= 2.196
Fixed	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	= 2.197
Affected	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	<= 2.176.3
Fixed	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	= 2.176.4

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date