CVE-2022-41229 — Jenkins NS-ND Integration Performance Publisher Plugin vulnerable to Cross-site

Description

Jenkins NS-ND Integration Performance Publisher Plugin prior to version 4.8.0.147 does not escape configuration options of the Execute NetStorm/NetCloud Test build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

How to fix CVE-2022-41229

To remediate CVE-2022-41229, upgrade the affected package to a fixed version below.

—upgrade to 4.8.0.147 or later

Is CVE-2022-41229 being exploited?

Moderate — EPSS is 9.5%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 4.8.0.147

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-41229
PATCHgithub.com/jenkinsci/cavisson-ns-nd-integration-plugin
WEBgithub.com/jenkinsci/cavisson-ns-nd-integration-plugin/commit/d77c6c7a279da002178f8244f37093773dd6aee5
WEBwww.jenkins.io/security/advisory/2022-09-21/#SECURITY-2858