CVE-2022-36905

2022-07-2715:15:10

CWE-79

jenkins

web.nvd.nist.gov

cve-2022-36905

jenkins

maven

metadata plugin

jenkins ci server

xss

vulnerability

nvd

cve

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

22.4%

JSON

Jenkins Maven Metadata Plugin for Jenkins CI server Plugin 2.2 and earlier does not perform URL validation for the Repository Base URL of List maven artifact versions parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Affected configurations

Nvd

Node

jenkinsmaven_metadataRange≤2.2jenkins_ci

VendorProductVersionCPE
jenkinsmaven_metadata*cpe:2.3:a:jenkins:maven_metadata:*:*:*:*:*:jenkins_ci:*:*

Vendor	Product	Version	CPE
jenkins	maven_metadata	*	cpe:2.3:a:jenkins:maven_metadata::::::jenkins_ci::*

CNA Affected

[
  {
    "product": "Jenkins Maven Metadata Plugin for Jenkins CI server Plugin",
    "vendor": "Jenkins project",
    "versions": [
      {
        "lessThanOrEqual": "2.2",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "unknown",
        "version": "next of 2.2",
        "versionType": "custom"
      }
    ]
  }
]