VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 12, 2022· Updated Aug 3, 2024

CVE-2022-29037

CVE-2022-29037

Description

Jenkins CVS Plugin 2.19 and earlier does not escape the name and description of CVS Symbolic Name parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins CVS Plugin 2.19 and earlier does not escape CVS Symbolic Name parameter attributes, leading to stored XSS for users with Item/Configure permission.

Vulnerability

The Jenkins CVS Plugin, versions 2.19 and earlier, fails to escape the name and description of CVS Symbolic Name parameters when displayed on views that render these parameters. This stored cross-site scripting (XSS) vulnerability resides in the plugin's parameter rendering component, as evidenced by the fix that adds HTML escaping via h.escape(it.name) and it.formattedDescription calls [1][4]. The vulnerability affects all users who have Item/Configure permission on a Jenkins project, as they can create or modify CVS Symbolic Name parameters with malicious payloads.

Exploitation

An attacker must have Item/Configure permission in Jenkins to exploit this vulnerability. The attacker can create or edit a CVS Symbolic Name parameter in a Jenkins project, setting the name or description fields to contain malicious JavaScript code. When the affected view (such as the project configuration page or parameterized build trigger) renders the parameter, the injected script executes in the context of the victim's browser session, because the plugin does not sanitize the output [1][2]. No additional user interaction beyond viewing the page is required.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any Jenkins user who views the affected parameter. This can lead to compromise of the victim's Jenkins session, enabling actions such as creating new credentials, modifying jobs, or exfiltrating sensitive information. The stored XSS vulnerability is classified as high severity with a CVSS score that reflects the potential for significant impact on confidentiality, integrity, and availability [1][2].

Mitigation

Jenkins released a fix in CVS Plugin version 2.19.1, which is available from the Jenkins update center. All users should upgrade to at least version 2.19.1 to remediate this vulnerability. As of the advisory date (2022-04-12), no workaround is provided by the vendor, and the plugin does not appear on the CISA KEV list. Users unable to upgrade should ensure that only trusted users have Item/Configure permission [1][4].

References
  1. Jenkins Security Advisory 2022-04-12
  2. NVD - CVE-2022-29037
  3. SECURITY-2700 · jenkinsci/cvs-plugin@043ef88

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:cvsMaven
< 2.19.12.19.1

Affected products

3

Patches

1
043ef8801a7b

SECURITY-2700

https://github.com/jenkinsci/cvs-pluginTemirlan DyussyumbayevApr 5, 2022via ghsa
commit
2 files changed · +4 2
  • src/main/resources/hudson/scm/CvsTagsParamDefinition/index.jelly+2 1 modified
    @@ -23,7 +23,8 @@ THE SOFTWARE.
 -->
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form">
-  <f:entry title="${it.name}" description="${it.description}">
+    <j:set var="escapeEntryTitleAndDescription" value="false"/>
+    <f:entry title="${h.escape(it.name)}" description="${it.formattedDescription}">
   <div name="parameter">
       <input type="hidden" name="name" value="${it.name}"/>
       <select name="tagName">
  • src/main/resources/hudson/scm/CvsTagsParamValue/value.jelly+2 1 modified
    @@ -23,7 +23,8 @@ THE SOFTWARE.
 -->
 <?jelly escape-by-default='true'?>
 <j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form">
-    <f:entry title="${it.name}">
+    <j:set var="escapeEntryTitleAndDescription" value="false"/>
+    <f:entry title="${h.escape(it.name)}">
         <f:textbox name="${it.name}" value="${it.description}" />
     </f:entry>
 </j:jelly>
\ No newline at end of file

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

1