CVE-2022-43409
Description
Jenkins Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of hyperlinks sending POST requests in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Pipelines.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins.workflow:workflow-supportMaven | < 839.v35e2736cfd5c | 839.v35e2736cfd5c |
Affected products
2- Range: unspecified
Patches
Vulnerability mechanics
Root cause
"Insufficient sanitization and encoding of URLs embedded in JavaScript event handlers allows for stored cross-site scripting (XSS)."
Attack vector
An attacker with the ability to create or configure Jenkins Pipelines can inject malicious payloads into build logs. By crafting a URL that includes JavaScript injection sequences, the attacker can trigger stored cross-site scripting (XSS) when a user views the build log and clicks the hyperlink. This is possible because the plugin fails to properly encode the URL before embedding it into the `onclick` attribute of the generated HTML. [patch_id=22829]
Affected code
The vulnerability exists in `POSTHyperlinkNote.java` within the `extraAttributes()` method. This method improperly constructs an `onclick` JavaScript event handler by directly embedding a URL into an `Ajax.Request` call without sufficient sanitization. [patch_id=22829]
What the fix does
The patch introduces a new `encodeForJavascript` method in `POSTHyperlinkNote.java` that applies URL encoding followed by Base64 encoding to the URL string. The `extraAttributes()` method was updated to use this encoded string, which is then safely decoded within the JavaScript context using `decodeURIComponent(atob(...))`. This ensures that any malicious characters in the URL are neutralized and cannot break out of the JavaScript string context to execute arbitrary code. [patch_id=22829]
Preconditions
- authThe attacker must have permission to create or configure Jenkins Pipelines.
Generated on May 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-64r9-x74q-wxmhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43409ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/10/19/3ghsamailing-listWEB
- github.com/jenkinsci/workflow-support-plugin/commit/35e2736cfd5c56799eece176328906d92b6a0dd1ghsaWEB
- www.jenkins.io/security/advisory/2022-10-19/ghsaWEB
News mentions
0No linked articles in our index yet.