CVE-2022-46684

Vulnerability

Jenkins Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports. This failure to sanitize output leads to a stored cross-site scripting (XSS) vulnerability [1][2].

Exploitation

The plugin processes responses from the Checkmarx service API and generates HTML reports for display in the Jenkins UI. While users without Overall/Administer permission cannot configure the Checkmarx service URL, exploitation is still possible through man-in-the-middle attacks between Jenkins and the Checkmarx service, or by compromising the Checkmarx server itself [2].

Impact

An attacker who can control the Checkmarx API response (e.g., via MITM or by compromising the Checkmarx service) can inject malicious scripts into the generated reports. When a Jenkins user views the report, the script executes in the context of the user's session, potentially leading to credential theft, unauthorized actions, or further compromise of the Jenkins instance [2].

Mitigation

The vulnerability is fixed in Checkmarx Plugin version 2022.3.4. Users are advised to update to this version or later. There is no workaround provided [2].