CVE-2022-41240
Description
Jenkins Walti Plugin 1.0.1 and earlier does not escape the information provided by the Walti API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide malicious API responses from Walti.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:waltiMaven | <= 1.0.1 | — |
Affected products
2- Range: unspecified
Patches
Vulnerability mechanics
Root cause
"The Walti Plugin does not escape information received from the Walti API before rendering it in Jenkins, enabling stored cross-site scripting."
Attack vector
An attacker who can control or inject malicious API responses from the Walti service can embed arbitrary HTML or JavaScript in those responses. When the Jenkins Walti Plugin renders the unescaped API data in a Jenkins interface, the malicious script executes in the context of the victim's browser session. No direct network access to Jenkins is required beyond the ability to serve a crafted Walti API response.
Affected code
The advisory states that the Walti Plugin versions 1.0.1 and earlier fail to escape information provided by the Walti API. The patch [patch_id=1641257] does not show the plugin source code; it only adds the plugin to an artifact-ignores.properties file to suspend its distribution. The exact vulnerable functions are not visible in this patch.
What the fix does
The patch [patch_id=1641257] suspends distribution of the Walti plugin via the Jenkins update center, effectively preventing new installations. This is a stopgap measure because the underlying code flaw—missing output escaping of Walti API responses—is not corrected in the plugin itself. The suspension blocks further exposure until a fixed version is published.
Preconditions
- inputAttacker must be able to provide a malicious API response from the Walti service (e.g., by compromising the Walti API or performing a man-in-the-middle attack).
- configJenkins instance must have Walti Plugin 1.0.1 or earlier installed and configured to use the attacker-controlled Walti API endpoint.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-7qpm-vmwv-hq7hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-41240ghsaADVISORY
- github.com/jenkins-infra/update-center2/pull/644ghsaWEB
- plugins.jenkins.io/waltighsaWEB
- www.jenkins.io/security/advisory/2022-09-21/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-09-21Jenkins Security Advisories · Sep 21, 2022