cbcvebase.
CVE-2022-34777
published 2022-06-30

CVE-2022-34777: Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored…

PriorityP341medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
72.36%
99.4th percentile
Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
gitlabgitlab
jenkinsbuild_notifications_plugin
jenkinscisco_spark_plugin
jenkinsdeployment_dashboard_plugin
jenkinselasticsearch_query_plugin
jenkinsfailed_job_deactivator_plugin
jenkinsfeedback_panel_plugin
jenkinsgitlab<= 1.5.34
jenkinsgitlab_plugin
jenkinsids_in_xebialabs_xl_release_plugin
jenkinsjigomerge_plugin
jenkinsmatrix_reloaded_plugin
jenkinsopsgenie_plugin
jenkinsplot_plugin
jenkinsproject_inheritance_plugin
jenkinsrecipe_plugin
jenkinsrequest_rename_or_delete_plugin
jenkinsrich_text_publisher_plugin
jenkinsrocketchat_notifier_plugin
jenkinsrqm_plugin
jenkinsskype_notifier_plugin
jenkinstestng_results_plugin
jenkinsvalidating_email_parameter_plugin
jenkinsxebialabs_xl_release_plugin
jenkinsxpath_configuration_viewer_plugin

Detection & IOCsextracted from sources · hover to see the quote

  • Stored XSS vulnerability exists in Jenkins GitLab Plugin versions 1.5.34 and earlier, triggered via webhook-triggered build descriptions. Monitor for unsanitized script injection in build description fields set by users with Item/Configure permission.
  • ·Exploitation requires the attacker to have Item/Configure permission in Jenkins, limiting the attack surface to authenticated users with that specific privilege level.
  • ·The vulnerability affects Jenkins GitLab Plugin version 1.5.34 and earlier; environments running versions up to and including 1.5.34 are at risk.

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.