CVE-2022-45380

Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2022/11/15/4	Mailing List
https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2888	Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/11/15/4	Mailing List
https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2888	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:jenkins:junit:*:*:*:*:*:jenkins:*:*

History

No history.

Information

Published : 2022-11-15 20:15

Updated : 2024-11-21 07:29

NVD link : CVE-2022-45380

Mitre link : CVE-2022-45380

CVE.ORG link : CVE-2022-45380

JSON object : View

Products Affected

jenkins

junit

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2022-45380", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2022-11-15T20:15:11.480", "references": [{"url": "http://www.openwall.com/lists/oss-security/2022/11/15/4", "tags": ["Mailing List"], "source": "jenkinsci-cert@googlegroups.com"}, {"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2888", "tags": ["Vendor Advisory"], "source": "jenkinsci-cert@googlegroups.com"}, {"url": "http://www.openwall.com/lists/oss-security/2022/11/15/4", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2888", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission."}, {"lang": "es", "value": "Jenkins JUnit Plugin 1159.v0b_396e1e07dd y versiones anteriores convierten las URL HTTP(S) en la salida del informe de prueba en enlaces en los que se puede hacer clic de manera insegura, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS) almacenada que pueden explotar los atacantes con permiso Item/Configure."}], "lastModified": "2024-11-21T07:29:09.103", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:junit:*:*:*:*:*:jenkins:*:*", "vulnerable": true, "matchCriteriaId": "E137721C-4918-4CB2-A524-5AAAF4B16756", "versionEndExcluding": "1160.vf1f01a_a_ea_b_7f"}], "operator": "OR"}]}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com"}