CVE-2022-27197

Description

Jenkins Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure views. Dashboard View Plugin 2.18.1 performs URL validation for the Iframe Portlet’s Iframe source URL. Additionally, Dashboard View Plugin 2.18.1 sets the sandbox attribute for the iframe to restrict the included page. In case of problems, the [Java system property](https://www.jenkins.io/doc/book/managing/system-properties/) `hudson.plugins.view.dashboard.core.IframePortlet.sandboxAttributeValue` can be used to customize the sandbox attribute value. The Java system property `hudson.plugins.view.dashboard.core.IframePortlet.doNotUseSandbox` can be used to disable the sandbox completely.

How to fix CVE-2022-27197

To remediate CVE-2022-27197, upgrade the affected package to a fixed version below.

• —upgrade to 2.18.1 or later

Is CVE-2022-27197 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.18.1

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-27197
• PATCHgithub.com/jenkinsci/dashboard-view-plugin
• WEBgithub.com/jenkinsci/dashboard-view-plugin/commit/942c5c78fa834a6be242f144adc2b7f045ccdbc3
• WEBwww.jenkins.io/security/advisory/2022-03-15/#SECURITY-2559