CVE-2022-25191: Stored Cross-site Scripting vulnerability in Jenkins Agent Server Parameter Plugin
8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.89297%
CWE
Published
2/16/2022
Updated
2/3/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
io.jenkins.plugins:agent-server-parameter | maven | < 1.1 | 1.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The pre-patch code shows ${it.name} being used in two vulnerable contexts: 1) In hidden input value (though HTML-escaped by Jelly), and 2) Directly in JavaScript URL construction without proper JS escaping. The critical vulnerability is in the JavaScript interpolation where ${it.name} was rendered without proper contextual escaping, allowing XSS when malicious parameter names containing JS payloads are stored. The patch fixes this by moving the value retrieval to a DOM element that benefits from Jelly's HTML escaping, then using jQuery.val()
which avoids JS injection.