CVE-2022-36922
Description
Jenkins Lucene-Search Plugin does not escape the search query parameter, leading to a reflected XSS vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Lucene-Search Plugin does not escape the search query parameter, leading to a reflected XSS vulnerability.
The Jenkins Lucene-Search Plugin, up to and including version 370.v62a5f618cd3a, contains a reflected cross-site scripting (XSS) vulnerability. The plugin does not escape the search query parameter when displaying it on the search results page, allowing an attacker to inject arbitrary HTML or JavaScript. This occurs because the default escaping feature of Jelly, the templating engine used by Jenkins, was disabled for this particular view [1][4].
To exploit this vulnerability, an attacker can craft a malicious URL that includes the injected script as part of the search query parameter. The target user must visit this crafted URL, which then executes the script in the context of their browser session. No authentication is required for exploitation, as the search functionality is typically accessible to unauthenticated users [1][3].
Successful exploitation enables the attacker to perform actions on behalf of the victim, potentially leading to theft of sensitive session tokens and other credentials, and the ability to perform arbitrary actions on the Jenkins instance as the victim user [3]. The Jenkins Security Advisory 2022-07-27 reported this as a medium-severity issue [1].
This vulnerability is fixed in a subsequent release of the Lucene-Search Plugin. Administrators are advised to update to the latest version of the plugin. The fix, as shown in the commit, enables escaping of all content displayed in the search result screen [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:lucene-searchMaven | < 387.v938a | 387.v938a |
Affected products
2- Range: unspecified
Patches
15f9fd00d83a5Escape everything in search result screen
1 file changed · +0 −1
src/main/resources/org/jenkinsci/plugins/lucene/search/FreeTextSearch/search-results.jelly+0 −1 modified@@ -1,5 +1,4 @@ <?jelly escape-by-default='true'?> -<?jelly escape-by-default='false'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:l="/lib/layout"> <j:set var="q" value="${request.getParameter('q')}"/> <j:new var="h" className="hudson.Functions"/>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-6954-h5c8-m29fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36922ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/07/27/1ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/lucene-search-plugin/commit/5f9fd00d83a5a73a7b9579e8139b3db3a9065ed2ghsaWEB
- www.jenkins.io/security/advisory/2022-07-27/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.