CVE-2022-45380

HIGH8.0EPSS 2.2%

Jenkins JUnit Plugin subject to Cross-site Scripting via URL conversion

發布日:2022/11/16修改日:2024/2/16

描述

JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links. This is done in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. JUnit Plugin 1160.vf1f01a_a_ea_b_7f no longer converts URLs to clickable links.

受影響套件(1)

Maven/org.jenkins-ci.plugins:junitfrom 0, < 1160.vf1f01a_a_ea_b_7f

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-45380
PATCHhttps://github.com/jenkinsci/junit-plugin
WEBhttps://github.com/jenkinsci/junit-plugin/commit/f1f01aaeab7fa35017112f6163b89283390f5da8
WEBhttps://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2888
WEBhttp://www.openwall.com/lists/oss-security/2022/11/15/4