CVE-2022-43420 The Jenkins Contrast plugin 3.9 and earlier doesn't escape data returned from the service, which leads to a stored XSS vulnerability. Attackers who can access the application's backend are able to exploit the vulnerability.

This issue affects the “Credential Discovery” report type only and can be exploited by attackers when Contrast service is used for password management, for example, via a user management system like Active Directory. Jenkins administrators are strongly advised to update to version 3.9.1 or later as soon as possible. A fix has also been released for the Jenkins service itself to avoid possible denial of service due to this issue. In addition, a rev 1.9.1 release of the Jenkins service is available to prevent possible remote code execution due to this issue. When upgrading to Jenkins version 3.9.1 or later, it is also recommended to update the version of the Contrast security plugin on all of the managed host operating systems to rev 3.9.1, in order to avoid possible XSS issues.

Summary of CVE-2022-43420

This issue affects the “Credential Discovery” report type only and can be exploited by attackers when Contrast service is used for password management, for example, via a user management system like Active Directory. Jenkins administrators are strongly advised to update to version 3.9.1 or later as soon as possible. A fix has also been released for the Jenkins service itself to avoid possible denial of service due to this issue. In addition, a rev 1.9.1 release of the Jenkins service is available to prevent possible remote code execution due to this issue. When upgrading to Jenkins version 3.9.1 or later, it is also recommended to update the version of the Contrast security plugin on all of the managed host operating systems to rev 3.9.1, in order to avoid possible XSS issues.

CVE-2021-43418

This issue affects the “Filter Plugin” report type only and can be exploited by attackers when Contrast service is used for password management, for example, via a user management system like Active Directory. Jenkins administrators are strongly advised to update to version 3.9.1 or later as soon as possible. A fix has also been released for the Jenkins service itself to avoid possible denial of service due to this issue. In addition, a rev 1.9.1 release of the Jenkins service is available to prevent possible remote code execution due to this issue. When upgrading to Jenkins version 3.9.1 or later, it is also recommended to update the version of the Contrast security plugin on all of the managed host operating systems to rev 3.9.1, in order to avoid possible XSS issues.>>END>>

Finding the cause of the CVE -2022-43420

This vulnerability was found and fixed by Contrast Security. It has been assigned CVE-2022-43420.

Discovery - CVE-2022-43421

The "Credential Discovery" report type is also impacted and can be exploited by attackers when Contrast service is used for password management, for example, via a user management system like Active Directory. Jenkins administrators are strongly advised to update to version 3.9.1 or later as soon as possible. A fix has also been released for the Jenkins service itself to avoid possible denial of service due to this issue. In addition, a rev 1.9.1 release of the Jenkins service is available to prevent possible remote code execution due to this issue. When upgrading to Jenkins version 3.9.1 or later, it is also recommended to update the version of the Contrast security plugin on all of the managed host operating systems to rev 3.9.1, in order to avoid possible XSS issues.

Timeline

Published on: 10/19/2022 16:15:00 UTC
Last modified on: 10/21/2022 03:41:00 UTC

References