CVE-2022-46687

HIGH8.0EPSS 9.0%

Cross-site Scripting in Jenkins Spring Config Plugin

Published: 12/12/2022Modified: 11/8/2023

Description

Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names. Spring Config Plugin 2.0.1 escapes build display names shown on the Spring Config view.

Affected packages (1)

Maven/io.jenkins.plugins:spring-configfrom 0, < 2.0.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-46687
PATCHhttps://github.com/jenkinsci/spring-config-plugin
WEBhttps://github.com/jenkinsci/spring-config-plugin/commit/89fea88b24f92233ed31050b8e695eb9b502b8c0
WEBhttps://www.jenkins.io/security/advisory/2022-12-07/#SECURITY-2814