CVE-2022-46684
Stored XSS vulnerability in Jenkins Checkmarx Plugin
Description
heckmarx Plugin processes Checkmarx service API responses and generates HTML reports from them for rendering on the Jenkins UI. Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports. This results in a stored cross-site scripting (XSS) vulnerability. While Jenkins users without Overall/Administer permission are not allowed to configure the URL to the Checkmarx service, this could still be exploited via man-in-the-middle attacks. Checkmarx Plugin 2022.4.3 escapes values returned from the Checkmarx service API before inserting them into HTML reports.
How to fix CVE-2022-46684
To remediate CVE-2022-46684, upgrade the affected package to a fixed version below.
- —upgrade to 2022.4.3 or later
Is CVE-2022-46684 being exploited?
Moderate — EPSS is 9.0%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- from 0, < 2022.4.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |