CVE-2022-36905: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

July 28, 2022 (updated December 12, 2022)

Jenkins Maven Metadata Plugin for Jenkins CI server Plugin 2.2 and earlier does not perform URL validation for the Repository Base URL of List maven artifact versions parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

References

www.openwall.com/lists/oss-security/2022/07/27/1
github.com/advisories/GHSA-8294-mv9c-7m5h
nvd.nist.gov/vuln/detail/CVE-2022-36905
www.jenkins.io/security/advisory/2022-07-27/

Code Behaviors & Features

Detect and mitigate CVE-2022-36905 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →