Improper Neutralization of Input During Web Page Generation in Jenkins
Moderate severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Jan 27, 2023
Package
Affected versions
<= 2.176.3
>= 2.177, <= 2.196
Patched versions
2.176.4
2.197
Description
Published by the National Vulnerability Database
Sep 25, 2019
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Jun 28, 2022
Last updated
Jan 27, 2023
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.
References