CVE-2022-27202

Vulnerability

Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier does not escape the value and description of extended choice parameters of radio buttons or check boxes type [1][3]. This results in a stored cross-site scripting (XSS) vulnerability where crafted parameter values are stored and later rendered unsafely in the Jenkins UI [1][2]. The vulnerability affects plugin versions up to and including 346.vd87693c5a_86c [3]. No fix has been released as of the advisory publication [2].

Exploitation

An attacker must have Item/Configure permission on a Jenkins job to exploit this vulnerability [1][3]. The attacker provides malicious JavaScript payloads in the value or description fields of a radio button or check box type extended choice parameter [1]. When users view the job configuration or other pages that display these parameter values, the unsanitized payload executes in the context of their browser session [1][3]. No additional user interaction is required beyond viewing the affected page [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a victim's Jenkins session [1]. This can lead to disclosure of sensitive information, session hijacking, or further actions within the Jenkins instance [1]. The impact is limited by the need for the victim to have access to the affected job configuration page and the attacker's prerequisite of Item/Configure permission [1][3].

Mitigation

No fix has been published for this plugin as of the 2022-03-15 advisory [1][2]. The plugin is marked as end-of-life (EOL) with no further development expected [4]. Users are advised to migrate to alternative plugins such as Json Editor Parameter, Active Choices, Extensible Choice, or Editable Choice [4]. As a workaround, block access to the affected job configuration pages or restrict Item/Configure permission to trusted users only [1].