Moderate severityNVD Advisory· Published Mar 15, 2022· Updated Aug 3, 2024

CVE-2022-27207

Description

Jenkins global-build-stats Plugin ≤1.5 has stored XSS via unescaped chart configuration fields, requiring Overall/Administer permission.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins global-build-stats Plugin ≤1.5 has stored XSS via unescaped chart configuration fields, requiring Overall/Administer permission.

Vulnerability

Jenkins global-build-stats Plugin 1.5 and earlier does not escape multiple fields in the chart configuration on the 'Global Build Stats' page. This lack of output encoding allows attackers to inject malicious HTML and JavaScript that is stored and later executed in the browser of any user viewing the page. The vulnerability is a stored cross-site scripting (XSS) flaw affecting all versions up to and including 1.5 [1][2][4].

Exploitation

An attacker must have Overall/Administer permission in Jenkins to access the chart configuration and inject malicious script into one or more of the unescaped fields. The injected payload is stored by the plugin and rendered on the 'Global Build Stats' page, which is accessible to other users with at least Overall/Read permission. The attack requires no user interaction beyond viewing the affected page [1][2].

Impact

A successful exploit results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, credential theft, or arbitrary actions performed on behalf of the victim within Jenkins, potentially compromising the Jenkins controller and its jobs [1][2][4].

Mitigation

As of the Jenkins Security Advisory published on 2022-03-15, no fixed version of the global-build-stats Plugin has been released [1][2]. Users are advised to remove or disable the plugin until a patched version is made available. No workaround is documented. The plugin is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the advisory date [1][2].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:global-build-statsMaven	<= 1.5	—

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/global-build-stats
Range: <= 1.5
Jenkins Project/global-build-stats Plugincpe-rescue
Range: unspecified

Patches

214f74360b3a

CVE-2022-27207 - fixed stored XSS vulnerability (#38)

https://github.com/jenkinsci/global-build-stats-pluginbalakineMar 31, 2023via ghsa

commit

1 file changed · +4 −3

src/main/java/hudson/plugins/global_build_stats/model/AbstractBuildStatChartDimension.java+4 −3 modified

@@ -5,6 +5,7 @@
 import hudson.util.StackedAreaRenderer2;
 
 import java.awt.Color;
+import java.net.URLEncoder;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
@@ -109,7 +110,7 @@ public String generateURL(CategoryDataset dataset, int row, int column) {
 	                boolean notBuildShown=Messages.Build_Results_Item_Legend_Statuses_NOT_BUILD().equals(status);
 	                
 	                StringBuilder sb = new StringBuilder()
-	                	.append("buildHistory?jobFilter=").append(config.getBuildFilters().getJobFilter())
+	                	.append("buildHistory?jobFilter=").append(URLEncoder.encode(config.getBuildFilters().getJobFilter()))
 	                	.append("&start=").append(range.getStart().getTimeInMillis())
 	                	.append("&end=").append(range.getEnd().getTimeInMillis())
 	                	.append("&successShown=").append(successShown)
@@ -118,10 +119,10 @@ public String generateURL(CategoryDataset dataset, int row, int column) {
 	                	.append("&abortedShown=").append(abortedShown)
 	                	.append("&notBuildShown=").append(notBuildShown);
 	                if(config.getBuildFilters().getNodeFilter() != null){
-	                	sb.append("&nodeFilter=").append(config.getBuildFilters().getNodeFilter());
+	                	sb.append("&nodeFilter=").append(URLEncoder.encode(config.getBuildFilters().getNodeFilter()));
 	                }
 	                if(config.getBuildFilters().getLauncherFilter() != null){
-	                	sb.append("&launcherFilter=").append(config.getBuildFilters().getLauncherFilter());
+	                	sb.append("&launcherFilter=").append(URLEncoder.encode(config.getBuildFilters().getLauncherFilter()));
 	                }
 	                return sb.toString();
 	            }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-wj78-8xrx-phr7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-27207ghsaADVISORY
www.openwall.com/lists/oss-security/2022/03/15/2ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/global-build-stats-plugin/commit/214f74360b3a91734b6e2a4b281ff0086a1e0679ghsaWEB
www.jenkins.io/security/advisory/2022-03-15/ghsax_refsource_CONFIRMWEB

News mentions

Jenkins Security Advisory 2022-03-15
Jenkins Security Advisories · Mar 15, 2022

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000