Miggo Logo

CVE-2022-30963: Cross-site Scripting in Jenkins JDK Parameter Plugin

8

CVSS Score
3.1

Basic Information

EPSS Score
0.9497%
Published
5/18/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:JDK_Parameter_Pluginmaven<= 1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped parameter name/description fields in views. Jenkins plugins typically use Jelly templates for UI rendering, and the advisory explicitly states the plugin fails to escape these fields. While exact file paths aren't provided, the pattern matches Jenkins' ParameterDefinition implementations where config.jelly/index.jelly files handle parameter rendering. The high confidence comes from: 1) The CWE-79 classification 2) Explicit mention of unescaped parameter metadata 3) Consistency with similar historical Jenkins XSS vulnerabilities in parameter handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins J*K P*r*m*t*r Plu*in *.* *n* **rli*r *o*s not *s**p* t** n*m* *n* **s*ription o* J*K p*r*m*t*rs on vi*ws *ispl*yin* p*r*m*t*rs. T*is r*sults in stor** *ross-sit* s*riptin* (XSS) vuln*r**iliti*s *xploit**l* *y *tt**k*rs wit* It*m/*on*i*ur* p*r

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** p*r*m*t*r n*m*/**s*ription *i*l*s in vi*ws. J*nkins plu*ins typi**lly us* J*lly t*mpl*t*s *or UI r*n**rin*, *n* t** **visory *xpli*itly st*t*s t** plu*in **ils to *s**p* t**s* *i*l*s. W*il* *x**t *il* p*t*s *r*n