CVE-2022-34787

Vulnerability

Description The Jenkins Project Inheritance Plugin, versions 21.04.03 and earlier, fails to escape the reason a build is blocked when that reason is displayed in tooltips. This omission allows an attacker who can control the queue item's blocked reason to inject malicious scripts [1][2].

Exploitation

The vulnerability is a stored cross-site scripting (XSS) issue. An attacker with the ability to set or influence the reason a build is blocked—for instance, through certain job configurations or plugin interactions—can craft a payload that executes when other users hover over the tooltip [1]. No authentication is required to view the tooltip, but the attacker must have privileges to control the blocked reason.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of a victim's browser session. This can lead to session hijacking, credential theft, or other malicious actions within the Jenkins interface [1]. The vulnerability is rated as High severity due to the potential for privilege escalation.

Mitigation

Jenkins has released updated versions of the Project Inheritance Plugin that properly escape the blocked reason in tooltips. Users should upgrade to a patched version immediately. No workaround is available beyond upgrading [1].