{"containers": {"cna": {"affected": [{"product": "Jenkins Subversion Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "2.15.3", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Subversion Plugin 2.15.3 and earlier does not escape the name and description of List Subversion tags (and more) parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T14:21:30.891Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2617"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.apple.com/kb/HT213345"}, {"name": "20220721 APPLE-SA-2022-07-20-2 macOS Monterey 12.5", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2022/Jul/18"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2022-29046", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins Subversion Plugin", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.15.3"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins Subversion Plugin 2.15.3 and earlier does not escape the name and description of List Subversion tags (and more) parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2617", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2617"}, {"name": "https://support.apple.com/kb/HT213345", "refsource": "CONFIRM", "url": "https://support.apple.com/kb/HT213345"}, {"name": "20220721 APPLE-SA-2022-07-20-2 macOS Monterey 12.5", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2022/Jul/18"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:10:58.937Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2617"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.apple.com/kb/HT213345"}, {"name": "20220721 APPLE-SA-2022-07-20-2 macOS Monterey 12.5", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2022/Jul/18"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2022-29046", "datePublished": "2022-04-12T19:50:44", "dateReserved": "2022-04-11T00:00:00", "dateUpdated": "2024-08-03T06:10:58.937Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:subversion:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "FFE39036-B5C9-4E00-BD27-0D090D4958E1", "versionEndIncluding": "2.15.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "BFABC0C7-944C-4B46-A985-8B4F8BF93F54", "versionEndExcluding": "12.5", "versionStartIncluding": "12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins Subversion Plugin 2.15.3 and earlier does not escape the name and description of List Subversion tags (and more) parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission."}, {"lang": "es", "value": "El plugin Jenkins Subversion versiones 2.15.3 y anteriores, no escapan el nombre y la descripci\u00f3n de los par\u00e1metros de las etiquetas List Subversion (y m\u00e1s) en las visualizaciones que muestran par\u00e1metros, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenado explotable por atacantes con permiso de Item/Configure"}], "id": "CVE-2022-29046", "lastModified": "2023-11-02T22:00:06.127", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-12T20:15:09.567", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2022/Jul/18"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Third Party Advisory"], "url": "https://support.apple.com/kb/HT213345"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2617"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:2280", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "jenkins-2-plugins-0:3.11.1650628887-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2022-05-31T00:00:00Z"}, {"advisory": "RHSA-2022:1600", "cpe": "cpe:/a:redhat:openshift:4.10::el8", "package": "jenkins-2-plugins-0:4.10.1650890594-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.10", "release_date": "2022-05-02T00:00:00Z"}, {"advisory": "RHSA-2022:4947", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "package": "jenkins-2-plugins-0:4.6.1653312933-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2022-06-17T00:00:00Z"}, {"advisory": "RHSA-2022:4909", "cpe": "cpe:/a:redhat:openshift:4.7::el8", "package": "jenkins-2-plugins-0:4.7.1652967082-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.7", "release_date": "2022-06-10T00:00:00Z"}, {"advisory": "RHSA-2022:0871", "cpe": "cpe:/a:redhat:openshift:4.8::el8", "package": "jenkins-2-plugins-0:4.8.1646993358-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2022-03-22T00:00:00Z"}, {"advisory": "RHSA-2022:2205", "cpe": "cpe:/a:redhat:openshift:4.9::el8", "package": "jenkins-2-plugins-0:4.9.1651754460-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.9", "release_date": "2022-05-18T00:00:00Z"}], "bugzilla": {"description": "subversion: Stored XSS vulnerabilities in Jenkins subversion plugin", "id": "2074851", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2074851"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-79", "details": ["Jenkins Subversion Plugin 2.15.3 and earlier does not escape the name and description of List Subversion tags (and more) parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.", "A flaw was found in the Jenkins Subversion plugin. The Jenkins subversion plugin does not escape the name and description of List Subversion tags and parameters on views displaying the parameters. This issue results in a stored Cross-site scripting (XSS) vulnerability, exploitable by attackers with Item/Configure permission."], "name": "CVE-2022-29046", "public_date": "2022-04-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-29046\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-29046\nhttps://www.jenkins.io/security/advisory/2022-04-12/"], "threat_severity": "Important", "upstream_fix": "subversion plugin 2.15.4"}