CVE-2022-41225 — Jenkins Anchore Container Image Scanner Plugin vulnerable to cross site scriptin

Description

Jenkins Anchore Container Image Scanner Plugin 1.0.24 and earlier does not escape content provided by the Anchore engine API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control API responses by Anchore engine.

How to fix CVE-2022-41225

To remediate CVE-2022-41225, upgrade the affected package to a fixed version below.

—upgrade to 1.0.25 or later

Is CVE-2022-41225 being exploited?

Moderate — EPSS is 20.6%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 1.0.25

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-41225
PATCHgithub.com/jenkinsci/anchore-container-scanner-plugin
WEBgithub.com/jenkinsci/anchore-container-scanner-plugin/commit/1b1a62ab8ab86b409274e755860ab4e7fcc11800
WEBwww.jenkins.io/security/advisory/2022-09-21/#SECURITY-2821