Miggo Logo

CVE-2022-25191: Stored Cross-site Scripting vulnerability in Jenkins Agent Server Parameter Plugin

8

CVSS Score
3.1

Basic Information

EPSS Score
0.89297%
Published
2/16/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.jenkins.plugins:agent-server-parametermaven< 1.11.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The pre-patch code shows ${it.name} being used in two vulnerable contexts: 1) In hidden input value (though HTML-escaped by Jelly), and 2) Directly in JavaScript URL construction without proper JS escaping. The critical vulnerability is in the JavaScript interpolation where ${it.name} was rendered without proper contextual escaping, allowing XSS when malicious parameter names containing JS payloads are stored. The patch fixes this by moving the value retrieval to a DOM element that benefits from Jelly's HTML escaping, then using jQuery.val() which avoids JS injection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins ***nt S*rv*r P*r*m*t*r Plu*in *.* *n* **rli*r *o*s not *s**p* p*r*m*t*r n*m*s o* ***nt s*rv*r p*r*m*t*rs, r*sultin* in * stor** *ross-sit* s*riptin* (XSS) vuln*r**ility *xploit**l* *y *tt**k*rs wit* It*m/*on*i*ur* p*rmission.

Reasoning

T** pr*-p*t** *o** s*ows ${it.n*m*} **in* us** in two vuln*r**l* *ont*xts: *) In *i***n input v*lu* (t*ou** *TML-*s**p** *y J*lly), *n* *) *ir**tly in J*v*S*ript URL *onstru*tion wit*out prop*r JS *s**pin*. T** *riti**l vuln*r**ility is in t** J*v*S*