Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/net.nemerosa.ontrack/ontrack-service@feature-496-docker-extensions-a60bb31

Type maven

Namespace net.nemerosa.ontrack

Name ontrack-service

Version feature-496-docker-extensions-a60bb31

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 4.0.1

Latest_non_vulnerable_version 4.0.1

Affected_by_vulnerabilities

url VCID-4qfd-cuqj-kkbj

vulnerability_id VCID-4qfd-cuqj-kkbj

summary

Code Inection
A sandbox bypass vulnerability in Jenkins ontrack Plugin allowed attackers with control over ontrack DSL definitions to execute arbitrary code on the Jenkins master JVM.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-10306

reference_id

reference_type

scores

value	0.0028
scoring_system	epss
scoring_elements	0.51582
published_at	2026-06-04T12:55:00Z

value	0.0028
scoring_system	epss
scoring_elements	0.51642
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-10306

reference_url

https://github.com/jenkinsci/ontrack-plugin

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/jenkinsci/ontrack-plugin

reference_url

https://github.com/jenkinsci/ontrack-plugin/commit/7f0f806c18fdd6043103d848ba4c813cb805dd85

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/jenkinsci/ontrack-plugin/commit/7f0f806c18fdd6043103d848ba4c813cb805dd85

reference_url

https://jenkins.io/security/advisory/2019-04-17/#SECURITY-1341

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://jenkins.io/security/advisory/2019-04-17/#SECURITY-1341

reference_url

http://www.securityfocus.com/bid/108045

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

http://www.securityfocus.com/bid/108045

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-10306

reference_id

CVE-2019-10306

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-10306

reference_url	https://github.com/advisories/GHSA-qw28-g63m-jxqv
reference_id	GHSA-qw28-g63m-jxqv
reference_type
scores
url	https://github.com/advisories/GHSA-qw28-g63m-jxqv

fixed_packages

url	pkg:maven/net.nemerosa.ontrack/ontrack-service@3.4.1
purl	pkg:maven/net.nemerosa.ontrack/ontrack-service@3.4.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/net.nemerosa.ontrack/ontrack-service@3.4.1

url pkg:maven/net.nemerosa.ontrack/ontrack-service@3.33.0

purl pkg:maven/net.nemerosa.ontrack/ontrack-service@3.33.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-txrr-1nxq-fyfd

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/net.nemerosa.ontrack/ontrack-service@3.33.0

aliases CVE-2019-10306, GHSA-qw28-g63m-jxqv

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4qfd-cuqj-kkbj

url VCID-txrr-1nxq-fyfd

vulnerability_id VCID-txrr-1nxq-fyfd

summary

Cross-site Scripting in Jenkins ontrack Jenkins Plugin
Jenkins ontrack Jenkins Plugin 4.0.0 and earlier does not escape the name of Ontrack: Multi Parameter choice, Ontrack: Parameter choice, and Ontrack: SingleParameter parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Exploitation of this vulnerability requires that parameters are listed on another page, like the \"Build With Parameters\" and \"Parameters\" pages provided by Jenkins (core), and that those pages are not hardened to prevent exploitation. Jenkins (core) has prevented exploitation of vulnerabilities of this kind on the \"Build With Parameters\" and \"Parameters\" pages since 2.44 and LTS 2.32.2 as part of the [SECURITY-353 / CVE-2017-2601](https://www.jenkins.io/security/advisory/2017-02-01/#persisted-cross-site-scripting-vulnerability-in-parameter-names-and-descriptions) fix. Additionally, several plugins have previously been updated to list parameters in a way that prevents exploitation by default, see [SECURITY-2617 in the 2022-04-12 security advisory for a list](https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2617).

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-34192

reference_id

reference_type

scores

value	0.16751
scoring_system	epss
scoring_elements	0.95067
published_at	2026-06-04T12:55:00Z

value	0.16751
scoring_system	epss
scoring_elements	0.95075
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-34192

reference_url

https://github.com/jenkinsci/ontrack-plugin

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/jenkinsci/ontrack-plugin

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-34192

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-34192

reference_url

https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2784

reference_id

reference_type

scores

value	8.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2784

reference_url

https://github.com/advisories/GHSA-6882-385p-hhhw

reference_id

GHSA-6882-385p-hhhw

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-6882-385p-hhhw

fixed_packages

url	pkg:maven/net.nemerosa.ontrack/ontrack-service@4.0.1
purl	pkg:maven/net.nemerosa.ontrack/ontrack-service@4.0.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/net.nemerosa.ontrack/ontrack-service@4.0.1

aliases CVE-2022-34192, GHSA-6882-385p-hhhw

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-txrr-1nxq-fyfd

Fixing_vulnerabilities

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/net.nemerosa.ontrack/ontrack-service@feature-496-docker-extensions-a60bb31

Package Instance