CVE-2022-30967
Description
Jenkins Selection tasks Plugin 1.0 and earlier has a stored XSS vulnerability due to improper escaping of script parameter names and descriptions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Selection tasks Plugin 1.0 and earlier has a stored XSS vulnerability due to improper escaping of script parameter names and descriptions.
Vulnerability
The Jenkins Selection tasks Plugin versions 1.0 and earlier fails to escape the name and description of Script Selection task variable parameters on views displaying parameters [1][2]. This allows attackers with Item/Configure permission to inject malicious HTML and JavaScript code, resulting in a stored cross-site scripting (XSS) vulnerability.
Exploitation
An attacker with Item/Configure permission can create or modify a Script Selection task to include a malicious script in the parameter name or description. When a user views the parameters on a Jenkins view, the script is executed in the context of the victim's browser [1].
Impact
Successful exploitation leads to stored XSS, allowing the attacker to perform actions like accessing sensitive information, performing administrative actions, or further compromising the Jenkins instance within the victim's session [1].
Mitigation
Jenkins has addressed this vulnerability in newer versions. Please refer to the Jenkins Security Advisory 2022-05-17 [1] for details on the fixed version and upgrade instructions. Users are advised to update to the latest version as soon as possible.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jvnet.hudson.plugins:selection-tasks-pluginMaven | <= 1.0 | — |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-mw4r-5mfc-m5vcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-30967ghsaADVISORY
- www.jenkins.io/security/advisory/2022-05-17/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-05-17Jenkins Security Advisories · May 17, 2022