nvd-json-data-feeds/CVE-2022/CVE-2022-290xx/CVE-2022-29037.json

{
  "id": "CVE-2022-29037",
  "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
  "published": "2022-04-12T20:15:09.133",
  "lastModified": "2022-04-20T18:30:18.770",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "Jenkins CVS Plugin 2.19 and earlier does not escape the name and description of CVS Symbolic Name parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission."
    },
    {
      "lang": "es",
      "value": "El plugin Jenkins CVS versiones 2.19 y anteriores, no escapa del nombre y la descripci\u00f3n de los par\u00e1metros CVS Symbolic Name en las visualizaciones que muestran par\u00e1metros, resultando en una vulnerabilidad de scripting cruzado (XSS) almacenada que puede ser explotada por atacantes con permiso Item/Configure"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "REQUIRED",
          "scope": "CHANGED",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "accessVector": "NETWORK",
          "accessComplexity": "MEDIUM",
          "authentication": "SINGLE",
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "NONE",
          "baseScore": 3.5
        },
        "baseSeverity": "LOW",
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": true
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ]
    },
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:jenkins:cvs:*:*:*:*:*:jenkins:*:*",
              "versionEndIncluding": "2.19",
              "matchCriteriaId": "1BF609F4-1DB0-4FF7-9071-E134993FE080"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2617",
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Vendor Advisory"
      ]
    }
  ]
}