HIGH

Impact
Users with the permission to create VMIs can construct VMI specs which allow them to read arbitrary files on the host. There are three main attack vectors:

Some path fields on the VMI spec were not properly validated and allowed passing in rela…

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-27…

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.\n\nAffected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the sch…

Maven Metadata Plugin for Jenkins CI server Plugin 2.2 and earlier does not perform URL validation for the Repository Base URL of List maven artifact versions parameters. This results in a stored cross-site scripting (XSS) vulnerability exploitable by …

Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier does not escape several fields of Moded Extended Choice parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permissio…

Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-3478…

Jenkins Project Inheritance Plugin 21.04.03 and earlier does not escape the reason a build is blocked in tooltips, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control the reason a queue item is blocked.
Refe…

Jenkins Matrix Reloaded Plugin 1.1.3 and earlier does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
References

https://nvd.nist.gov/vuln/…

Since Jenkins 2.321 and LTS 2.332.1, the HTML output generated for new symbol-based SVG icons includes the title attribute of l:ionicon until Jenkins 2.334 and alt attribute of l:icon since Jenkins 2.335 without further escaping.
This vulnerability is …

JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions of test results.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission.
JUnit Plugin 1119.1121.vc43d0fc45561 app…