CVE-2022-27212
Description
Jenkins List Git Branches Parameter Plugin 0.0.9 and earlier does not escape the name of the 'List Git branches (and more)' parameter, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:list-git-branches-parameterMaven | <= 0.0.9 | — |
Affected products
2- Jenkins project/Jenkins List Git Branches Parameter Pluginv5Range: unspecified
Patches
Vulnerability mechanics
Root cause
"Missing HTML escaping of the parameter name in Jenkins List Git Branches Parameter Plugin allows stored cross-site scripting."
Attack vector
An attacker with Item/Configure permission on a Jenkins job can set the name of a 'List Git branches (and more)' parameter to a malicious JavaScript payload. When a victim (such as a project administrator or build trigger) views the job configuration page or the build parameters page, the unsanitized parameter name is rendered in the HTML, causing the attacker's script to execute in the victim's browser. This stored cross-site scripting (XSS) attack [CWE-79] does not require any network-level manipulation; the payload is stored in the job configuration and served to every subsequent viewer.
What the fix does
The patch wraps the parameter name in `${h.escape(it.name)}` inside both `value.jelly` and `index.jelly`, ensuring that any HTML metacharacters in the name are encoded before being rendered. Previously the raw `it.name` was passed directly to the `title` attribute of the `f:entry` tag, allowing an attacker to inject arbitrary HTML or JavaScript. The same escaping is applied to the description field via `it.formattedDescription`, which already provides safe rendering.
Preconditions
- authAttacker must have Item/Configure permission on a Jenkins job
- configThe job must use the List Git Branches Parameter plugin (version 0.0.9 or earlier)
Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-7756-56hr-2vcpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-27212ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/03/15/2ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2022-03-15/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-03-15Jenkins Security Advisories · Mar 15, 2022