Skip to content

Jenkins JUnit Plugin subject to Cross-site Scripting via URL conversion

High severity GitHub Reviewed Published Nov 16, 2022 to the GitHub Advisory Database • Updated Jan 5, 2024

Package

maven org.jenkins-ci.plugins:junit (Maven)

Affected versions

<= 1159.v0b

Patched versions

1160.vf1f01a_a_ea_b_7f

Description

JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links.

This is done in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

JUnit Plugin 1160.vf1f01a_a_ea_b_7f no longer converts URLs to clickable links.

References

Published by the National Vulnerability Database Nov 15, 2022
Published to the GitHub Advisory Database Nov 16, 2022
Reviewed Nov 21, 2022
Last updated Jan 5, 2024

Severity

High
8.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2022-45380

GHSA ID

GHSA-298r-5c48-7q2r

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.