CVE-2022-43409

Description

Pipeline: Supporting APIs Plugin provides a feature to add hyperlinks, that send POST requests when clicked, to build logs. These links are used by Pipeline: Input Step Plugin to allow users to proceed or abort the build, or by Pipeline: Job Plugin to allow users to forcibly terminate the build after aborting it. Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Pipelines. Pipeline: Supporting APIs Plugin 839.v35e2736cfd5c properly encodes URLs of these hyperlinks in build logs.

How to fix CVE-2022-43409

To remediate CVE-2022-43409, upgrade the affected package to a fixed version below.

• —upgrade to 839.v35e2736cfd5c or later

Is CVE-2022-43409 being exploited?

Low — EPSS is 4.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 839.v35e2736cfd5c

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-43409
• PATCHgithub.com/jenkinsci/workflow-support-plugin
• WEBgithub.com/jenkinsci/workflow-support-plugin/commit/35e2736cfd5c56799eece176328906d92b6a0dd1
• WEBwww.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881