CVE-2022-28149

Vulnerability

Jenkins Job and Node ownership Plugin 0.13.0 and earlier does not escape the names of the secondary owners, resulting in a stored cross-site scripting (XSS) vulnerability [1][2][3]. This affects all versions up to and including 0.13.0.

Exploitation

An attacker with Item/Configure permission can set a secondary owner name to a malicious JavaScript payload. When the owner name is displayed in the Jenkins UI, the script executes in the context of the victim's browser [1][2][3].

Impact

Successful exploitation allows arbitrary JavaScript execution in the Jenkins interface. This can lead to information disclosure, session hijacking, or actions performed on behalf of the victim user [1].

Mitigation

As of the Jenkins Security Advisory 2022-03-29, this vulnerability remains unpatched [2]. No fixed version is available. Administrators should consider removing the plugin or restricting Item/Configure permissions to trusted users only. Monitor the plugin's GitHub repository for future updates [4].