CVE-2022-30963: Cross-site Scripting in Jenkins JDK Parameter Plugin
8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.9497%
CWE
Published
5/18/2022
Updated
1/28/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:JDK_Parameter_Plugin | maven | <= 1.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unescaped parameter name/description fields in views. Jenkins plugins typically use Jelly templates for UI rendering, and the advisory explicitly states the plugin fails to escape these fields. While exact file paths aren't provided, the pattern matches Jenkins' ParameterDefinition implementations where config.jelly/index.jelly files handle parameter rendering. The high confidence comes from: 1) The CWE-79 classification 2) Explicit mention of unescaped parameter metadata 3) Consistency with similar historical Jenkins XSS vulnerabilities in parameter handling.