CVE-2022-30956: Cross-site Scripting in Jenkins Rundeck Plugin
8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.96471%
CWE
Published
5/18/2022
Updated
1/28/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:rundeck | maven | < 3.6.11 | 3.6.11 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper handling of URL schemes in webhook payloads. The advisory explicitly states that pre-3.6.11 versions lacked URL scheme restrictions, and the fix added sanitization. Webhook processing functions would be the primary location where raw URLs are accepted and processed. The high confidence comes from: 1) The vulnerability pattern matches unvalidated URL handling in webhook endpoints 2) The CWE-79 classification directly implies input neutralization failures during web page generation 3) The patch's stated purpose (URL sanitization
) indicates the vulnerable functions were involved in processing/storing webhook URLs.