Promotion names in Jenkins promoted builds Plugin are not validated when using Job DSL
High severity
GitHub Reviewed
Published
Apr 13, 2022
to the GitHub Advisory Database
•
Updated Jul 21, 2023
Package
Affected versions
< 3.10.1
>= 3.11, < 876.v99d29788b
Patched versions
3.10.1
876.v99d29788b
Description
Published by the National Vulnerability Database
Apr 12, 2022
Published to the GitHub Advisory Database
Apr 13, 2022
Reviewed
Apr 22, 2022
Last updated
Jul 21, 2023
Jenkins promoted builds Plugin provides dedicated support for defining promotions using Job DSL Plugin.
promoted builds Plugin 873.v6149db_d64130 and earlier does not validate the names of promotions defined in Job DSL. This allows attackers with Job/Configure permission to create a promotion with an unsafe name. As a result, the promotion name could be used for cross-site scripting (XSS) or to replace other
config.xml
files.promoted builds Plugin 876.v99d29788b_36b_ and 3.10.1 validates the name of promotions.
References