CVE-2022-34786
Description
Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Rich Text Publisher Plugin 1.4 and earlier has a stored XSS vulnerability due to unescaped HTML in post-build messages, allowing attackers with job configuration access to inject malicious scripts.
Vulnerability
Description
Jenkins Rich Text Publisher Plugin 1.4 and earlier fails to escape the HTML message configured in its post-build step. This allows an attacker to inject arbitrary HTML and JavaScript into the build page, leading to a stored cross-site scripting (XSS) vulnerability [1][2].
Exploitation
An attacker must have the ability to configure jobs (Item/Configure permission) in Jenkins. By setting a malicious HTML message in the post-build step, the injected script is stored and executed whenever a user views the affected build page [1].
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to credential theft, session hijacking, or performing actions on behalf of the victim within Jenkins [1][2].
Mitigation
As of the Jenkins Security Advisory dated June 30, 2022, no fixed version of the Rich Text Publisher Plugin has been released. Users are advised to restrict job configuration permissions to trusted users or consider disabling the plugin if not essential [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:rich-text-publisher-pluginMaven | <= 1.4 | — |
Affected products
3- Range: <=1.4
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-2v6r-jf2g-j5q5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-34786ghsaADVISORY
- www.jenkins.io/security/advisory/2022-06-30/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.