CVE-2022-27197
MEDIUM5.4EPSS 0.15%Stored Cross-site Scripting vulnerability in Jenkins Dashboard View Plugin
描述
Jenkins Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure views. Dashboard View Plugin 2.18.1 performs URL validation for the Iframe Portlet’s Iframe source URL. Additionally, Dashboard View Plugin 2.18.1 sets the sandbox attribute for the iframe to restrict the included page. In case of problems, the [Java system property](https://www.jenkins.io/doc/book/managing/system-properties/) `hudson.plugins.view.dashboard.core.IframePortlet.sandboxAttributeValue` can be used to customize the sandbox attribute value. The Java system property `hudson.plugins.view.dashboard.core.IframePortlet.doNotUseSandbox` can be used to disable the sandbox completely.
受影響套件(1)
- Maven/org.jenkins-ci.plugins:dashboard-viewfrom 0, < 2.18.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-27197
- PATCHhttps://github.com/jenkinsci/dashboard-view-plugin
- WEBhttps://github.com/jenkinsci/dashboard-view-plugin/commit/942c5c78fa834a6be242f144adc2b7f045ccdbc3
- WEBhttps://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2559
- WEBhttp://www.openwall.com/lists/oss-security/2022/03/15/2