CVE-2021-21700
MEDIUM5.4EPSS 0.21%Stored XSS vulnerability in Jenkins Scriptler Plugin
發布日:2022/5/24修改日:2024/2/16
描述
Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Scriptler scripts. Jenkins Scriptler Plugin 3.4 escapes the name of scripts on the UI when asking to confirm their deletion.
受影響套件(1)
- Maven/org.jenkins-ci.plugins:scriptlerfrom 0, < 3.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-21700
- PATCHhttps://github.com/jenkinsci/scriptler-plugin
- WEBhttps://github.com/jenkinsci/scriptler-plugin/commit/7e4fa9b51f37714decca30a35dd81e41f72aec93
- WEBhttps://www.jenkins.io/security/advisory/2021-11-12/#SECURITY-2406
- WEBhttp://www.openwall.com/lists/oss-security/2021/11/12/1