Cross-Site Scripting Vulnerability in Jenkins Extended Choice Parameter Plugin
CVE-2022-29038

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Extended Choice Parameter Plugin
Vendor: CVE Published:; 12 April 2022

Summary

The Jenkins Extended Choice Parameter Plugin fails to properly escape the name and description of Extended Choice parameters. This flaw can lead to a stored cross-site scripting (XSS) vulnerability. Attackers who have Item/Configure permissions can exploit this vulnerability by injecting malicious scripts, which are then executed in the context of other users who view the parameters on affected Jenkins instances.

Affected Version(s)

Jenkins Extended Choice Parameter Plugin <= 346.vd87693c5a_86c

References

https://www.jenkins.io/security/advisory/2022-04-12/#SECU...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 12, 2022
Vulnerability Reserved
Apr 11, 2022