Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2022-34784

CVE-2022-34784:
Cross site scripting in Jenkins build-metrics Plugin

8

CVSS Score

Basic Information

CVE ID
CVE-2022-34784
GHSA ID
GHSA-j2gv-q44j-xm42
EPSS Score
-
CWE
CWE-79
Published
7/1/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:build-metricsmaven<= 1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The advisory explicitly states the vulnerability stems from unescaped build descriptions in a view. Jenkins plugins typically use Jelly templates for HTML rendering, and XSS vulnerabilities in this context commonly occur when dynamic content (like build.description) is rendered without proper escaping. While the exact file path isn't provided, the pattern 'web/[ViewName]/index.jelly' follows Jenkins plugin conventions. The confidence is high because the vulnerability description directly maps to this templating pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *uil*-m*tri*s Plu*in *.* *o*s not *s**p* t** *uil* **s*ription on on* o* its vi*ws, r*sultin* in * stor** *ross-sit* s*riptin* (XSS) vuln*r**ility *xploit**l* *y *tt**k*rs wit* *uil*/Up**t* p*rmission.

Reasoning

T** **visory *xpli*itly st*t*s t** vuln*r**ility st*ms *rom un*s**p** *uil* **s*riptions in * vi*w. J*nkins plu*ins typi**lly us* J*lly t*mpl*t*s *or *TML r*n**rin*, *n* XSS vuln*r**iliti*s in t*is *ont*xt *ommonly o**ur w**n *yn*mi* *ont*nt (lik* *u