CVE-2022-45387
Description
Jenkins BART Plugin 1.0.3 and earlier has a stored XSS vulnerability due to improper escaping of build log content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins BART Plugin 1.0.3 and earlier has a stored XSS vulnerability due to improper escaping of build log content.
Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI, leading to a stored cross-site scripting (XSS) vulnerability [1]. This means that any malicious HTML or JavaScript embedded in build logs will be executed in the browser of any user viewing those logs.
To exploit this vulnerability, an attacker must be able to inject crafted content into build logs. This could be achieved by a Jenkins user with permission to create builds or by influencing build output through other means. No special network position is required beyond access to the Jenkins UI [2].
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the Jenkins web interface. This can lead to session hijacking, credential theft, or performing administrative actions on behalf of the victim user.
As of the advisory publication date, no fix is available for BART Plugin. The plugin has been suspended from the Jenkins update center as a result of this and other issues [3]. Users are advised to disable or remove the plugin until a patched version is released.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:bartMaven | <= 1.0.3 | — |
Affected products
2- Range: unspecified
Patches
1726621ce79a4Add suspensions for additional plugins after 2022-11-15 advisory (#658)
1 file changed · +2 −0
resources/artifact-ignores.properties+2 −0 modified@@ -25,6 +25,7 @@ aws-lambda-plugin # renamed to aws-lambda aws-yum-paramater # renamed to package-parameter # deprecated -- https://github.com/jenkinsci/azure-iot-edge-plugin/blob/master/Readme.md azure-iot-edge = https://github.com/jenkinsci/azure-iot-edge-plugin/blob/master/Readme.md +bart = https://github.com/jenkins-infra/update-center2/pull/658 bees-sdk-plugin # removal requested by ndeloof: RUN@cloud service no longer exists binary-deployer # removal requested by alecharp: this plugin was never meant to be deployed. POC project. # "This plugin is no longer supported and should not be used." @@ -167,6 +168,7 @@ octoperf-jenkins-plugin # released from wrong repository; will be renam openstack-plugin # renamed to openstack-cloud # service discontinued origo-issue-notifier = https://wiki.jenkins-ci.org/display/JENKINS/Origo+Issue+Notifier +osf-builder-suite-xml-linter = https://github.com/jenkins-infra/update-center2/pull/658 otabuilder # latest sources at https://github.com/jeslyvarghese/otabuilder-plugin but discontinued due to tool chain discontinued -- https://wiki.jenkins-ci.org/display/JENKINS/Over-the-Air+Ad+Hoc+Deployment+Plugin+For+iOS paaslane # renamed to paaslane-estimate # renamed to extended-security-settings
Vulnerability mechanics
Root cause
"The BART Plugin does not escape the parsed content of build logs before rendering it on the Jenkins UI, allowing stored cross-site scripting."
Attack vector
An attacker who can cause build log output containing malicious HTML or JavaScript to be generated (e.g., by injecting script tags into build steps or source code) can exploit this vulnerability. When a victim with sufficient permissions views the affected build log page in Jenkins, the unescaped content is rendered by the browser, executing the attacker's script. This is a stored cross-site scripting attack because the malicious payload persists in the build log and executes whenever the log is viewed.
Affected code
The advisory describes a stored cross-site scripting vulnerability in the Jenkins BART Plugin version 1.0.3 and earlier. The plugin does not escape the parsed content of build logs before rendering it on the Jenkins UI. The patch [patch_id=1641191] only suspends the plugin in the update center; it does not contain a code-level fix for the XSS vulnerability itself.
What the fix does
The patch [patch_id=1641191] adds the BART plugin to the artifact-ignores.properties file, which suspends it from the Jenkins update center. This is a mitigation that prevents new installations of the vulnerable plugin, not a code fix that resolves the XSS vulnerability. The advisory states that the plugin fails to escape build log content before rendering, so a proper fix would require the plugin to properly escape or sanitize log output before displaying it on the Jenkins UI.
Preconditions
- inputThe attacker must be able to inject malicious content into a Jenkins build log (e.g., via build steps, SCM commits, or parameter values).
- authA victim with access to the Jenkins UI must view the affected build log page.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-j923-26c2-qq9pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-45387ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/11/15/4ghsamailing-listWEB
- github.com/jenkins-infra/update-center2/pull/658ghsaWEB
- github.com/jenkinsci/bart-plugin/blob/30d19e0ded8588c84601c7ffbcd0dd91c08ef945/src/main/java/org/jenkinsci/plugins/bart/LogParserBuildAction.javaghsaWEB
- www.jenkins.io/security/advisory/2022-11-15/ghsaWEB
News mentions
1- Jenkins Security Advisory 2022-11-15Jenkins Security Advisories · Nov 15, 2022