CVE-2022-34195

Vulnerability

Overview

The Jenkins Repository Connector Plugin versions 2.2.0 and earlier contain a stored cross-site scripting (XSS) vulnerability. The plugin fails to escape the name and description of Maven Repository Artifact parameters when they are displayed on views that show parameters. This flaw allows an attacker to inject arbitrary HTML and JavaScript into the Jenkins UI [1][2].

Exploitation

Conditions

To exploit this vulnerability, an attacker must have Item/Configure permission for a job. This permission is typically granted to users who can modify job configurations. The attacker can then set a malicious payload as the parameter name or description. When other users (such as developers or administrators) view the job's parameter configuration page, the injected script executes in their browser context [1][2].

Impact

Successful exploitation results in stored cross-site scripting (XSS), enabling the attacker to perform actions on behalf of the victim within Jenkins, such as stealing session cookies, modifying job configurations, or triggering builds. The attack runs in the context of the victim's Jenkins session, potentially leading to privilege escalation or sensitive data exposure [1][2].

Mitigation

The vulnerability is fixed in Repository Connector Plugin version 2.2.1. Users should upgrade immediately. No workarounds are documented; restricting Item/Configure permissions to trusted users may reduce risk, but patching is the recommended remediation [1].