CVE-2022-34795

Vulnerability

Overview Jenkins Deployment Dashboard Plugin 1.0.10 and earlier fails to escape environment names when rendering the Deployment Dashboard view, leading to a stored cross-site scripting (XSS) vulnerability [1][2]. The plugin manages deployment of software artifacts to different environments (e.g., DEV, TEST, PROD) by tracking artifact versions in configured repositories and EC2 instances [3]. The core issue is that user-supplied environment names are not properly sanitized before being displayed.

Exploitation

Prerequisites Attackers must have the 'View/Configure' permission on the Jenkins instance to exploit this vulnerability [1][2]. By providing a malicious payload as an environment name, the attacker can inject arbitrary JavaScript into the dashboard view. When other users, including administrators, access the dashboard, the injected script executes in their browser sessions. No additional authentication is required beyond the base Jenkins access.

Impact

Successful exploitation allows an attacker to perform arbitrary actions in the context of the victim's Jenkins session [1][2]. This includes modifying job configurations, extracting credentials, or executing builds. The stored XSS nature means the payload persists and affects all users who view the compromised dashboard until it is removed or the plugin is updated.

Mitigation

Jenkins has released a fix in the Deployment Dashboard Plugin version 1.0.11 or later [1][2]. Users are advised to upgrade immediately. There is no mention of this CVE in the CISA Known Exploited Vulnerabilities catalog as of the advisory date. For plugins that have reached end of life (EOL), no patch is available, and migration to an alternative solution should be considered.