Miggo Logo

CVE-2022-25189: Stored Cross-site Scripting vulnerability in Jenkins Custom Checkbox Parameter Plugin

8

CVSS Score
3.1

Basic Information

EPSS Score
0.89297%
Published
2/16/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.jenkins.plugins:custom-checkbox-parametermaven< 1.21.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from unescaped parameter names in the UI rendering. The key evidence is in the pre-patch index.jelly where ${it.name} was directly used in JavaScript initialization. The patch changed this to retrieve the value from a hidden input's val() (which HTML-escapes content), indicating the parameter name was previously rendered without proper contextual escaping. This matches the CVE description of unescaped parameter names causing XSS.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *ustom ****k*ox P*r*m*t*r Plu*in *.* *n* **rli*r *o*s not *s**p* p*r*m*t*r n*m*s o* *ustom ****k*ox p*r*m*t*rs, r*sultin* in * stor** *ross-sit* s*riptin* (XSS) vuln*r**ility *xploit**l* *y *tt**k*rs wit* It*m/*on*i*ur* p*rmission.

Reasoning

T** vuln*r**ility st*mm** *rom un*s**p** p*r*m*t*r n*m*s in t** UI r*n**rin*. T** k*y *vi**n** is in t** pr*-p*t** `in**x.j*lly` w**r* ${it.n*m*} w*s *ir**tly us** in J*v*S*ript initi*liz*tion. T** p*t** ***n*** t*is to r*tri*v* t** v*lu* *rom * *i**