Miggo Logo

CVE-2022-30956: Cross-site Scripting in Jenkins Rundeck Plugin

8

CVSS Score
3.1

Basic Information

EPSS Score
0.96471%
Published
5/18/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:rundeckmaven< 3.6.113.6.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of URL schemes in webhook payloads. The advisory explicitly states that pre-3.6.11 versions lacked URL scheme restrictions, and the fix added sanitization. Webhook processing functions would be the primary location where raw URLs are accepted and processed. The high confidence comes from: 1) The vulnerability pattern matches unvalidated URL handling in webhook endpoints 2) The CWE-79 classification directly implies input neutralization failures during web page generation 3) The patch's stated purpose (URL sanitization) indicates the vulnerable functions were involved in processing/storing webhook URLs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Run***k Plu*in *.*.** *n* **rli*r *o*s not r*stri*t URL s***m*s in Run***k w***ook su*missions, r*sultin* in * stor** *ross-sit* s*riptin* (XSS) vuln*r**ility *xploit**l* *y *tt**k*rs **l* to su*mit *r**t** Run***k w***ook p*ylo**s. Run***k P

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* URL s***m*s in w***ook p*ylo**s. T** **visory *xpli*itly st*t*s t**t pr*-*.*.** v*rsions l**k** URL s***m* r*stri*tions, *n* t** *ix ***** s*nitiz*tion. W***ook pro**ssin* *un*tions woul* ** t** prim*