Vulnerability Details : CVE-2022-29049
Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not validate the names of promotions defined in Job DSL, allowing attackers with Job/Configure permission to create a promotion with an unsafe name.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2022-29049
- Jenkins » Promoted Builds » For JenkinsVersions from including (>=) 867.v7c3a_b_83a_eb_79 and before (<) 876.v99d29788b_36b_cpe:2.3:a:jenkins:promoted_builds:*:*:*:*:*:jenkins:*:*
- cpe:2.3:a:jenkins:promoted_builds:*:*:*:*:*:jenkins:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-29049
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 20 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-29049
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:P/A:N |
8.0
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST |
CWE ids for CVE-2022-29049
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by:
- jenkinsci-cert@googlegroups.com (Secondary)
- nvd@nist.gov (Primary)
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-29049
-
https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2655
Jenkins Security Advisory 2022-04-12Vendor Advisory
Jump to