Moderate severityNVD Advisory· Published Aug 23, 2022· Updated Aug 3, 2024

CVE-2022-38664

Description

Jenkins Job Configuration History Plugin before 1166.vc9f255f45b_8a fails to escape job names on the System Configuration History page, leading to stored XSS.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Job Configuration History Plugin before 1166.vc9f255f45b_8a fails to escape job names on the System Configuration History page, leading to stored XSS.

Vulnerability

Overview

CVE-2022-38664 is a stored cross-site scripting (XSS) vulnerability in the Jenkins Job Configuration History Plugin (jobConfigHistory). In versions 1165.v8cc9fd1f4597 and earlier, the plugin does not properly escape job names when rendering them on the System Configuration History page. This allows an attacker who can configure job names to inject arbitrary HTML or JavaScript into the page, which then persists for any user viewing the affected page [1][2].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must have the ability to configure job names in Jenkins. This typically requires Job/Configure permission (or equivalent). The attack is carried out by setting a malicious job name containing JavaScript payloads. When a user visits the System Configuration History page, the unsanitized job name is executed in the context of the user's browser, leading to stored XSS [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the Jenkins web UI. This can lead to session hijacking, credential theft, unauthorized configuration changes, or other actions performed on behalf of the victim user. The vulnerability is rated High (CVSS 3.1 score not specified in references, but Jenkins advisory marks it as High severity) [2].

Mitigation

The fix was released in Job Configuration History Plugin version 1166.vc9f255f45b_8a, which properly escapes job names on the affected page. Users should upgrade to this version or later. No workaround is available, as the vulnerability is inherent in the plugin's output encoding [2][3].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:jobConfigHistoryMaven	< 1166.vc9f255f45b	1166.vc9f255f45b

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/jobConfigHistory
Range: < 1166.vc9f255f45b
Jenkins Project/Job Configuration History Plugincpe-rescue
Range: unspecified

Patches

c9f255f45b8a

[SECURITY-2765]

https://github.com/jenkinsci/job-config-history-pluginKevin-CBAug 12, 2022via ghsa

commit

1 file changed · +13 −3

src/main/resources/hudson/plugins/jobConfigHistory/JobConfigHistoryRootAction/history.jelly+13 −3 modified

@@ -131,9 +131,19 @@
                       <td style="text-align:center">

                         <j:if test="${it.hasDeleteEntryPermission() and !config.operation.toString().equals(&quot;Deleted&quot;)}">

                           <j:set var="message" value="${%Do you really want to delete the history entry} " />

-                          <button type="button" class="jenkins-button jenkins-button--destructive" onClick="removeEntryFromTable('table-row-${configNr}', '${config.date}', '${config.getJob()}', '${message}')" value="X">

-                            <l:icon src="symbol-trash" class="icon-md" alt="${%Delete Revision}" />

-                          </button>

+                          <div id="target-div" jobName="${config.getJob()}">

+                            <script>

+                              var targetDiv = document.querySelector('#target-div');

+                              var JsJobName = targetDiv.getAttribute('jobName');

+

+                              function removeEntryFromTable2(JsConfigNr, JsConfigDate, JsMessage){

+                                removeEntryFromTable('table-row-' + JsConfigNr, JsConfigDate, JsJobName, JsMessage)

+                              }

+                            </script>

+                            <button type="button" class="jenkins-button jenkins-button--destructive" onClick="removeEntryFromTable2('${configNr}', '${config.date}', '${message}')" value="X">

+                              <l:icon src="symbol-trash" class="icon-md" alt="${%Delete Revision}" />

+                            </button>

+                          </div>

                         </j:if>

                       </td>

                     </tr>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-28w4-h56g-grg7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-38664ghsaADVISORY
www.openwall.com/lists/oss-security/2022/08/23/2ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/job-config-history-plugin/commit/c9f255f45b8a6ed008d66be094526adfd80ca035ghsaWEB
www.jenkins.io/security/advisory/2022-08-23/ghsax_refsource_CONFIRMWEB

News mentions

Jenkins Security Advisory 2022-08-23
Jenkins Security Advisories · Aug 23, 2022

cvss	0.260
epss	0.013
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000