CVE-2022-34184

Root

Cause

The CRX Content Package Deployer Plugin fails to escape the name and description of CRX Content Package Choice parameters when displayed on parameter views. This allows injectable HTML and JavaScript to be stored and later rendered in the Jenkins UI, leading to a stored cross-site scripting (XSS) vulnerability [1][2].

Exploitation

An attacker with Item/Configure permission can craft a malicious parameter name or description containing XSS payloads. When other users view the parameterized build page, the payload executes in their browser context. No additional authentication is required beyond the ability to configure jobs [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the Jenkins interface of a victim user. This can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim [1][2].

Mitigation

The vulnerability is present in plugin versions 1.9 and earlier. As of the advisory date, users should update to a patched version when available. In the absence of a fix, restricting Item/Configure permissions to trusted users reduces the attack surface [1].