CVE-2022-30967: Cross site scripting in Jenkins Selection tasks Plugin
8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.96652%
CWE
Published
5/18/2022
Updated
1/28/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jvnet.hudson.plugins:selection-tasks-plugin | maven | <= 1.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unescaped parameter names/descriptions in views. Jenkins plugins typically use Jelly templates for rendering UI components. The pattern matches known XSS vulnerabilities in Jenkins where parameter metadata is rendered without proper escaping. The advisory specifically identifies Script Selection task variable parameters as vulnerable, implying the rendering logic for these parameters in their Jelly templates (config.jelly) lacks output encoding. While exact code isn't available, this is the standard implementation pattern for Jenkins parameter types, and the vulnerability description directly maps to missing escape calls in these template rendering functions.