High severityNVD Advisory· Published Dec 7, 2022· Updated Apr 23, 2025

CVE-2022-46687

Description

Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
io.jenkins.plugins:spring-configMaven	< 2.0.1	2.0.1

Affected products

ghsa-coords
pkg:maven/io.jenkins.plugins/spring-config
Range: < 2.0.1
Jenkins Project/Spring Config Plugincpe-rescue
Range: unspecified

Patches

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-3rrx-364r-6wf6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-46687ghsaADVISORY
github.com/jenkinsci/spring-config-plugin/commit/89fea88b24f92233ed31050b8e695eb9b502b8c0ghsaWEB
www.jenkins.io/security/advisory/2022-12-07/ghsaWEB

News mentions

Jenkins Security Advisory 2022-12-07
Jenkins Security Advisories · Dec 7, 2022

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000