Bug 2136391 (CVE-2022-43409) - CVE-2022-43409 jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin
Summary: CVE-2022-43409 jenkins-plugin/workflow-support: Stored XSS vulnerability in P...
Keywords:
Status: NEW
Alias: CVE-2022-43409
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2136660 2136661 2136662 2136663 2136658 2136659
Blocks: 2136368
TreeView+ depends on / blocked
 
Reported: 2022-10-20 06:56 UTC by Avinash Hanwate
Modified: 2022-10-31 12:58 UTC (History)
3 users (show)

Fixed In Version: Pipeline Supporting APIs Plugin 839.v35e2736cfd5c
Doc Type: If docs needed, set a value
Doc Text:
A Cross-site scripting (XSS) vulnerability was found in a Jenkins plugin. This issue may allow an authenticated remote attacker to create Pipelines.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Avinash Hanwate 2022-10-20 06:56:40 UTC
Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Pipelines.

https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881


Note You need to log in before you can comment on or make changes to this bug.