First published: Tue Apr 12 2022(Updated: )
A flaw was found in the Jenkins Subversion plugin. The Jenkins subversion plugin does not escape the name and description of List Subversion tags and parameters on views displaying the parameters. This issue results in a stored Cross-site scripting (XSS) vulnerability, exploitable by attackers with Item/Configure permission.
Credit: Evgeny Kotkov visualsvn.com Evgeny Kotkov visualsvn.com Evgeny Kotkov visualsvn.com Evgeny Kotkov visualsvn.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jenkins | <2-plugins-0:3.11.1650628887-1.el7 | 2-plugins-0:3.11.1650628887-1.el7 |
redhat/jenkins | <2-plugins-0:4.10.1650890594-1.el8 | 2-plugins-0:4.10.1650890594-1.el8 |
redhat/jenkins | <2-plugins-0:4.6.1653312933-1.el8 | 2-plugins-0:4.6.1653312933-1.el8 |
redhat/jenkins | <2-plugins-0:4.7.1652967082-1.el8 | 2-plugins-0:4.7.1652967082-1.el8 |
redhat/jenkins | <2-plugins-0:4.8.1646993358-1.el8 | 2-plugins-0:4.8.1646993358-1.el8 |
redhat/jenkins | <2-plugins-0:4.9.1651754460-1.el8 | 2-plugins-0:4.9.1651754460-1.el8 |
Jenkins Subversion | <=2.15.3 | |
Apple macOS | >=12.0<12.5 | |
maven/org.jenkins-ci.plugins:subversion | <2.15.4 | 2.15.4 |
redhat/subversion plugin | <2.15.4 | 2.15.4 |
<12.5 | 12.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
(Found alongside the following vulnerabilities)
The vulnerability ID for this issue is CVE-2022-29046.
The severity of CVE-2022-29046 is high with a CVSS score of 5.4.
The affected software for CVE-2022-29046 includes Jenkins Subversion plugin versions up to 2.15.4 and Red Hat OpenShift Developer Tools and Services versions with Jenkins plugin versions up to 4.10.1650890594-1.el8.
The CWE ID for CVE-2022-29046 is CWE-79.
To fix CVE-2022-29046, update to Jenkins Subversion plugin version 2.15.4 or later and Red Hat OpenShift Developer Tools and Services version with Jenkins plugin version 4.10.1650890594-1.el8 or later.