CVE-2022-29041

Aliases:GHSA-m3p3-2gp6-ghq8
Advisory lineage Upstream: 0 Downstream: 2
Modified
Published: 12 Apr 2022, 19:50
Last modified:03 Aug 2024, 06:10

Vulnerability Summary

Overall Risk (default)
low
22/100
CVSS Score
5.4 MEDIUM
v3.1 (nvd)
EPSS Score
0.22% LOW
0% probability -26.91%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

12 Apr 2022, 19:50
Published
Vulnerability first disclosed
03 Aug 2024, 06:10
Last Modified
Vulnerability information updated

Description

Jenkins Jira Plugin 3.7 and earlier, except 3.6.1, does not escape the name and description of Jira Issue and Jira Release Version parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVSS Metrics

  • v3.1MEDIUMScore: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
  • v2.0LOWScore: 3.5AV:N/AC:M/Au:S/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 0.22% Percentile: 44%

Techniques & Countermeasures

  • CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Affected Systems

  • jenkins projectjenkins jira plugin

    ≥ unspecified, ≤ 3.7

  • jenkinsjira

    < 3.6.1 | 3.7

  • org.jenkins-ci.pluginsjira

    ≥ 3.7.0, < 3.7.1 | < 3.6.1

References (4)