Jenkins Lucene-Search Plugin vulnerable to reflected (XSS) cross-site scripting · CVE-2022-36922 · GitHub Advisory Database · GitHub

Jenkins Lucene-Search Plugin vulnerable to reflected (XSS) cross-site scripting

High severity GitHub Reviewed Published Jul 28, 2022 to the GitHub Advisory Database • Updated Jan 3, 2024

Package

org.jenkins-ci.plugins:lucene-search (Maven)

Affected versions

<= 370.v62a5f618cd3a

Patched versions

387.v938a

Description

Jenkins Lucene-Search Plugin 370.v62a5f618cd3a and earlier does not escape the search query parameter displayed on the search result page.

This results in a reflected cross-site scripting (XSS) vulnerability.

References

Published by the National Vulnerability Database

Jul 27, 2022

Published to the GitHub Advisory Database Jul 28, 2022

Reviewed Aug 11, 2022

Last updated Jan 3, 2024

Severity

High

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H