cbcvebase.
CVE-2022-29037
published 2022-04-12

CVE-2022-29037: Jenkins CVS Plugin 2.19 and earlier does not escape the name and description of CVS Symbolic Name parameters on views displaying parameters, resulting in a…

PriorityP423medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.66%
47.0th percentile
Jenkins CVS Plugin 2.19 and earlier does not escape the name and description of CVS Symbolic Name parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Affected

25 ranges
VendorProductVersion rangeFixed in
jenkinsbuild_step_plugin
jenkinscoordinator_plugin
jenkinscredentials_plugin
jenkinscvs<= 2.19
jenkinscvs_plugin
jenkinsdeprecated_groovy_libraries_plugin
jenkinsextended_choice_parameter_plugin
jenkinsgerrit_trigger_plugin
jenkinsgit_parameter_plugin
jenkinsgoogle_compute_engine_plugin
jenkinsinput_step_plugin
jenkinsjira_plugin
jenkinsjob_dsl_plugin
jenkinsjob_generator_plugin
jenkinsmask_passwords_plugin
jenkinsmaven_release_plugin
jenkinsnode_and_label_parameter_plugin
jenkinspromotion_names_in_promoted_builds_plugin
jenkinspublish_over_ftp_plugin
jenkinsrebuilder_plugin
jenkinsrelease_plugin
jenkinsshow_build_parameters_plugin
jenkinssubversion_plugin
jenkinsunleash_maven_plugin
jenkins_projectjenkins_cvs_pluginunspecified – 2.19

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.