CVE-2023-30520

2023-04-1218:15:09

CWE-79

[email protected]

web.nvd.nist.gov

cve-2023-30520

jenkins

quay.io trigger plugin

xss

vulnerability

nvd

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

49.2%

JSON

Jenkins Quay.io trigger Plugin 0.1 and earlier does not limit URL schemes for repository homepage URLs submitted via Quay.io trigger webhooks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted Quay.io trigger webhook payloads.

Affected configurations

NVD

Node

jenkinsquay.io_triggerRange≤0.1jenkins

CPENameOperatorVersion
jenkins:quay.io_triggerjenkins quay.io triggerle0.1

CPE	Name	Operator	Version
jenkins:quay.io_trigger	jenkins quay.io trigger	le	0.1

CNA Affected

[
  {
    "defaultStatus": "unknown",
    "product": "Jenkins Quay.io trigger Plugin",
    "vendor": "Jenkins Project",
    "versions": [
      {
        "lessThanOrEqual": "0.1",
        "status": "affected",
        "version": "0",
        "versionType": "maven"
      }
    ]
  }
]