Lucene search

GitHub Advisory DatabaseGHSA-5C6C-W4C4-VGVX

HistoryJan 06, 2022 - 6:45 p.m.

Stored XSS vulnerability in Jenkins Scriptler Plugin

2022-01-0618:45:09

CWE-79

GitHub Advisory Database

github.com

jenkins

scriptler plugin

stored xss

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

22.0%

JSON

Jenkins Scriptler Plugin 3.1 and earlier does not escape script content.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.

Jenkins Scriptler Plugin 3.2 escapes script content.

Affected configurations

Vulners

Node

org.jenkins-ci.pluginsscriptlerRange<3.2

VendorProductVersionCPE
org.jenkins-ci.pluginsscriptler*cpe:2.3:a:org.jenkins-ci.plugins:scriptler:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.jenkins-ci.plugins	scriptler	*	cpe:2.3:a:org.jenkins-ci.plugins:scriptler::::::::

References

www.openwall.com/lists/oss-security/2021/06/16/3

github.com/advisories/GHSA-5c6c-w4c4-vgvx

nvd.nist.gov/vuln/detail/CVE-2021-21668

www.jenkins.io/security/advisory/2021-06-16/#SECURITY-2390

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

22.0%

JSON

Related for GHSA-5C6C-W4C4-VGVX