CVE-2022-29038

Vulnerability

Jenkins Extended Choice Parameter Plugin version 346.vd87693c5a_86c and earlier does not escape the name and description of Extended Choice parameters on views displaying parameters, leading to a stored cross-site scripting (XSS) vulnerability [1]. The stored script can be triggered when any user views a job configuration or build that includes the malicious parameter.

Exploitation

An attacker with Item/Configure permission can set a crafted name or description for an Extended Choice parameter [1]. When a victim views the affected job or build page, the injected script executes in their browser, potentially allowing the attacker to perform actions on behalf of the victim.

Impact

Successful exploitation allows arbitrary JavaScript execution in the victim's browser session, which can lead to session hijacking, credential theft, or unauthorized actions within Jenkins [1]. The attacker gains the privileges of the victim user.

Mitigation

The Extended Choice Parameter Plugin is end-of-life (EOL) and no fix is expected [3]. Jenkins recommends migrating to alternative parameter plugins such as Json Editor Parameter, Active Choices, Extensible Choice, or Editable Choice [3]. Users should also apply standard XSS defenses, such as Content Security Policy (CSP) headers.