VYPR
← All advisories
High severityNVD Advisory· Published Jun 22, 2022· Updated Aug 3, 2024

CVE-2022-34191

CVE-2022-34191

Description

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.77 and earlier fails to escape NetStorm Test parameter names, enabling stored XSS for users with Item/Configure permission.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.77 and earlier fails to escape NetStorm Test parameter names, enabling stored XSS for users with Item/Configure permission.

Vulnerability

Details

The Jenkins NS-ND Integration Performance Publisher Plugin (formerly Cavisson NS-ND Integration) versions 4.8.0.77 and earlier does not properly escape the name of NetStorm Test parameters when rendering them on views that display parameters. This results in a stored cross-site scripting (XSS) vulnerability [1][2]. The root cause is that parameter names are directly included in the HTML output without sanitization, allowing an attacker to inject arbitrary HTML or JavaScript [4].

Attack

Vector and Prerequisites

To exploit this vulnerability, an attacker must have Item/Configure permission on a Jenkins job that uses the NS-ND Integration Performance Publisher Plugin [1][2]. The attacker can set a malicious parameter name containing script code when configuring a NetStorm Test parameter. This name is then stored and later executed in the browser of any user who views the affected parameter display page, such as job configuration pages or build parameter prompts [1]. No additional authentication or network position is required beyond the initial Jenkins access.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the Jenkins UI, potentially leading to session hijacking, credential theft, or other actions performed as the victim user. Since the XSS is stored, every visit to the affected view triggers the payload, increasing the persistence and reach of the attack [2].

Mitigation

The Jenkins Security Advisory 2022-06-22 recommends upgrading the plugin to version 4.8.0.78 or later [1]. The fix, visible in commit 5b6dc59, escapes the parameter name using h.escape(it.name) in the Jelly view [4]. Users who cannot upgrade should ensure that only trusted users have Item/Configure permission and avoid viewing parameter configurations from untrusted sources.

References
  1. Jenkins Security Advisory 2022-06-22
  2. NVD - CVE-2022-34191
  3. Update index.jelly · jenkinsci/cavisson-ns-nd-integration-plugin@5b6dc59

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.jenkins.plugins:cavisson-ns-nd-integrationMaven
< 4.8.0.1294.8.0.129

Affected products

2

Patches

2
5b6dc5957edc

Update index.jelly

https://github.com/jenkinsci/cavisson-ns-nd-integration-plugincavissonsystemsAug 16, 2022via ghsa
commit
1 file changed · +2 2
  • src/main/resources/com/cavisson/jenkins/NetstormTestParameterDefinition/index.jelly+2 2 modified
    @@ -2,8 +2,8 @@
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define"
 	xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"
 	xmlns:i="jelly:fmt" xmlns:p="/lib/hudson/project">
-
-<f:entry title="${it.name}" description="${it.formattedDescription}">
+<j:set var="escapeEntryTitleAndDescription" value="false"/>
+<f:entry title="${h.escape(it.name)}" description="${it.formattedDescription}">
 <div name="parameter" description="${it.formattedDescription}">
 <input type="hidden" name="name" value="${it.name}" />
 <f:textbox name="value" value="${it.defaultValue}"
6321f09aa951

Update value.jelly

https://github.com/jenkinsci/cavisson-ns-nd-integration-plugincavissonsystemsAug 16, 2022via ghsa
commit
1 file changed · +2 1
  • src/main/resources/com/cavisson/jenkins/NetstormStringParameterValue/value.jelly+2 1 modified
    @@ -2,7 +2,8 @@
 <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define"
 	xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"
 	xmlns:i="jelly:fmt" xmlns:p="/lib/hudson/project">
-	<f:entry title="${it.name}" description="${it.description}">
+	<j:set var="escapeEntryTitleAndDescription" value="false"/>
+	<f:entry title="${h.escape(it.name)}" description="${it.formattedDescription}">
             <div >
                 <f:textbox name="value" value="${it.value}" readonly="true" />
             </div>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.