CVE-2022-30965: Stored Cross-site Scripting vulnerabilities in Jenkins promoted Builds (Simple) plugin providing additional parameter types
8
Basic Information
Technical Details
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:promoted-builds-simple | maven | <= 1.9 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability arises because the plugin does not properly escape the 'name' and 'description' fields of Promotion Level parameters when rendering them in views (e.g., the 'Build With Parameters' or 'Parameters' pages). However, the advisory does not provide specific code details (e.g., commit diffs, patch information, or file paths), making it impossible to identify exact Java functions with high confidence. The root cause likely resides in the Jelly view templates (e.g., *.jelly files) responsible for rendering these parameters, where escaping is omitted (e.g., using ${parameter.name} instead of ${parameter.name?html}). Since the question asks for functions (not templates) and no code is provided, no specific Java functions can be pinpointed with high certainty.