CVE-2022-45382: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

November 16, 2022 (updated November 21, 2022)

Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to edit build display names.

References

github.com/advisories/GHSA-h8hf-hxx6-5g6v
nvd.nist.gov/vuln/detail/CVE-2022-45382
www.jenkins.io/security/advisory/2022-11-15/

Detect and mitigate CVE-2022-45382 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →