CVE-2022-34778

UNKNOWN

Published 2022-06-30T17:45:59

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2022-34778. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Jenkins TestNG Results Plugin 554.va4a552116332 and earlier renders the unescaped test descriptions and exception messages provided in test results if certain job-level options are set, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or control test results.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Jenkins project

Jenkins TestNG Results Plugin

Affected Versions:

unspecified

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Cross-site Scripting in Jenkins TestNG Results Plugin

GHSA-8hv7-4vfc-w8pg

Advisory Details

TestNG Results Plugin has options in its post-build step configuration to not escape test descriptions and exception messages. If those options are unchecked, TestNG Results Plugin 554.va4a552116332 and earlier renders the unescaped text provided in test results. This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or control test results. TestNG Results Plugin 555.va0d5f66521e3 by default ignores the user-level options to not escape content. Administrators who want to restore this functionality must set the [Java system property](https://www.jenkins.io/doc/book/managing/system-properties/) `hudson.plugins.testng.Publisher.allowUnescapedHTML` to true.

Affected Packages

Maven org.jenkins-ci.plugins:testng-plugin

ECOSYSTEM: ≥0 <555.va0d5f66521e3

CVSS Scoring

CVSS Score

7.5

CVSS Vector


                                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-34778

WEB https://github.com/jenkinsci/testng-plugin-plugin/commit/a0d5f66521e3bc470047a0b683004ce8889d3369

PACKAGE https://github.com/jenkinsci/testng-plugin-plugin

WEB https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2788

Advisory provided by GitHub Security Advisory Database. Published: July 1, 2022, Modified: December 9, 2022

References

https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2788

Published: 2022-06-30T17:45:59

Last Modified: 2024-11-20T15:46:21.953Z

Copied to clipboard!

CVE-2022-34778

Expert Analysis

Description

Available Exploits

Related News

Affected Products

Jenkins TestNG Results Plugin

Affected Versions:

GitHub Security Advisories

Cross-site Scripting in Jenkins TestNG Results Plugin

Advisory Details

Affected Packages

CVSS Scoring

CVSS Score

CVSS Vector

References

References

Request Analysis

What to expect

Request Received!