CVE-2022-34777
Description
Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins GitLab Plugin 1.5.34 and earlier has a stored XSS vulnerability via unescaped fields in webhook-triggered build descriptions, exploitable by attackers with Item/Configure permission.
Vulnerability
Description
Jenkins GitLab Plugin versions 1.5.34 and earlier fail to escape multiple user-provided values that are inserted into the build cause description of webhook-triggered builds. This lack of output encoding allows an attacker to inject arbitrary HTML and JavaScript into the build description, resulting in a stored cross-site scripting (XSS) vulnerability [2][3].
Exploitation
An attacker must have the Item/Configure permission on a Jenkins job to exploit this vulnerability. By configuring a job and providing malicious input in fields that appear in the build cause (such as the merge request title or description), the attacker can store a script that executes when a user views the build page. No additional authentication is required beyond the initial permission [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the Jenkins web interface. This can lead to session hijacking, credential theft, or performing administrative actions on behalf of the victim user, depending on the victim's permissions [2].
Mitigation
The vulnerability is fixed in GitLab Plugin version 1.5.35, released on June 30, 2022. The fix removes the display of user-provided fields from the build cause entirely, preventing the injection vector. Users are advised to upgrade to this version or later [2][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:gitlab-pluginMaven | < 1.5.35 | 1.5.35 |
Affected products
3- Range: <=1.5.34
- Range: unspecified
Patches
124e9a99d8151[SECURITY-2316]
1 file changed · +2 −1
src/main/resources/com/dabsquared/gitlabjenkins/cause/GitLabWebHookCause/description.jelly+2 −1 modified@@ -1,4 +1,5 @@ <?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core"> - <span><j:out value="${it.shortDescription}" /></span> + <!-- SECURITY-2316: This used to show the HTML-formatted it.shortDescription, but that does not properly neutralize user-provided input --> + <span>Triggered by GitLab Webhook</span> </j:jelly>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-f655-xhvm-cwp4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-34777ghsaADVISORY
- github.com/jenkinsci/gitlab-plugin/commit/24e9a99d8151b5345109ef12cddc1ab323baa4eeghsaWEB
- www.jenkins.io/security/advisory/2022-06-30/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.