{"id":"CVE-2022-45380","details":"Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.","aliases":["GHSA-298r-5c48-7q2r"],"modified":"2026-04-11T17:20:31.992136Z","published":"2022-11-15T20:15:11.480Z","references":[{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2888"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2022/11/15/4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/junit-plugin","events":[{"introduced":"0"},{"fixed":"f1f01aaeab7fa35017112f6163b89283390f5da8"}],"database_specific":{"cpe":"cpe:2.3:a:jenkins:junit:*:*:*:*:*:jenkins:*:*","extracted_events":[{"introduced":"0"},{"fixed":"1160.vf1f01a_a_ea_b_7f"}],"source":"CPE_FIELD"}}],"versions":["1119.va_a_5e9068da_d7","1143.v8d9a_e3355270","1144.v909f4d9978e8","1150.v5c2848328b_60","1153.v1c24f1a_d2553","1156.vcf492e95a_a_b_0","1159.v0b_396e1e07dd","junit-1.0","junit-1.1","junit-1.10","junit-1.11","junit-1.12","junit-1.13","junit-1.15","junit-1.16","junit-1.17","junit-1.18","junit-1.19","junit-1.2","junit-1.2-beta-1","junit-1.2-beta-2","junit-1.2-beta-3","junit-1.2-beta-4","junit-1.20","junit-1.21","junit-1.22","junit-1.22-beta-1","junit-1.22.1","junit-1.22.2","junit-1.23","junit-1.24","junit-1.25","junit-1.26","junit-1.26.1","junit-1.27","junit-1.28","junit-1.29","junit-1.3","junit-1.30","junit-1.31","junit-1.32","junit-1.33","junit-1.34","junit-1.35","junit-1.36","junit-1.37","junit-1.38","junit-1.39","junit-1.4","junit-1.40","junit-1.41","junit-1.42","junit-1.43","junit-1.44","junit-1.45","junit-1.46","junit-1.47","junit-1.48","junit-1.49","junit-1.5","junit-1.50","junit-1.51","junit-1.52","junit-1.53","junit-1.53.1","junit-1.54","junit-1.55","junit-1.56","junit-1.57","junit-1.58","junit-1.59","junit-1.6","junit-1.60","junit-1.61","junit-1.62","junit-1.63","junit-1.64","junit-1.7","junit-1.8","junit-1.9","next","untagged-5894d25928dffc9e1c74"],"database_specific":{"vanir_signatures_modified":"2026-04-11T17:20:31Z","vanir_signatures":[{"target":{"file":"src/main/java/hudson/tasks/test/TestResult.java","function":"annotate"},"id":"CVE-2022-45380-1f0b7778","signature_type":"Function","source":"https://github.com/jenkinsci/junit-plugin/commit/f1f01aaeab7fa35017112f6163b89283390f5da8","digest":{"length":302,"function_hash":"38294456350444789013210639004402907239"},"signature_version":"v1","deprecated":false},{"target":{"file":"src/main/java/hudson/tasks/test/TestResult.java"},"id":"CVE-2022-45380-21d9a6d1","signature_type":"Line","source":"https://github.com/jenkinsci/junit-plugin/commit/f1f01aaeab7fa35017112f6163b89283390f5da8","digest":{"threshold":0.9,"line_hashes":["2225401747299320852080542399052709805","99249616740815944559024538286290614722","33943821901500803482902317084357399668","134959686665864286334375638333516063018","335464968731219873310029178275645702998"]},"signature_version":"v1","deprecated":false},{"target":{"file":"src/test/java/hudson/tasks/junit/CaseResultTest.java","function":"testIssue20090516"},"id":"CVE-2022-45380-4d26b284","signature_type":"Function","source":"https://github.com/jenkinsci/junit-plugin/commit/f1f01aaeab7fa35017112f6163b89283390f5da8","digest":{"length":1695,"function_hash":"330100818296320259612808637477993308494"},"signature_version":"v1","deprecated":false},{"target":{"file":"src/test/java/hudson/tasks/junit/CaseResultTest.java"},"id":"CVE-2022-45380-f1b6f3c6","signature_type":"Line","source":"https://github.com/jenkinsci/junit-plugin/commit/f1f01aaeab7fa35017112f6163b89283390f5da8","digest":{"threshold":0.9,"line_hashes":["105760925231973394457059287493049116557","291963206071645492035950516074043568183","319756535385095139936226281162870273864","111749473775717998740462728825706334334","254217782379462401764117099421662878431","47730623145202323616316132669709898356","235319950552540420305583589492187072655","64378740672680513442327214871375999425","113325138338067756198975403345935847864","18652588658598405426216144477977985826","3860659112271162621978642608933898659","164676917687804307766644917714343520500","103680098942388434811122264162650388905","216015386586637357358576104717541980820","243058701891112986281998550630983263001","247204135802776440345957359596706439799","241655725629138046442191887134011558583","174744788031642835271637674084875516304","2933739595873277214713012132661057054","63855147448386309975258435690859927592","49880183837748484450480822847475221045"]},"signature_version":"v1","deprecated":false}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-45380.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}