Miggo Logo
Miggo Vulnerability Database
CVE-2022-34777

CVE-2022-34777: Cross-site Scripting in Jenkins GitLab Plugin

8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-34777
GHSA ID
GHSA-f655-xhvm-cwp4
EPSS Score
0.96477%
CWE
CWE-79
Published
7/1/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:gitlab-pluginmaven<= 1.5.341.5.35

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped user-provided fields in webhook-triggered build descriptions. The patch modifies the Jelly template to stop displaying it.shortDescription, replacing it with static text. The removed Jelly line '<j:out value="${it.shortDescription}"/>' directly references the getShortDescription() method from GitLabWebHookCause, which contained the unneutralized input. Since Jelly's escape-by-default wasn't sufficient (likely due to pre-HTML-encoded values from the cause object), this method represents the vulnerable data source in the runtime stack when rendering XSS payloads.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *itL** Plu*in *.*.** *n* **rli*r *o*s not *s**p* multipl* *i*l*s ins*rt** into t** **s*ription o* w***ook-tri***r** *uil*s, r*sultin* in * stor** *ross-sit* s*riptin* (XSS) vuln*r**ility *xploit**l* *y *tt**k*rs wit* It*m/*on*i*ur* p*rmission

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** us*r-provi*** *i*l*s in w***ook-tri***r** *uil* **s*riptions. T** p*t** mo*i*i*s t** J*lly t*mpl*t* to stop *ispl*yin* `it.s*ort**s*ription`, r*pl**in* it wit* st*ti* t*xt. T** r*mov** J*lly lin* '<j:out v*lu*="