8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-34791

GHSA ID

GHSA-hqmp-vxj7-5wpq

EPSS Score

0.94299%

CWE

CWE-79

Published

7/1/2022

Updated

1/28/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-34791

CVE-2022-34791: Cross-site Scripting in Jenkins Validating Email Parameter Plugin

Jenkins Validating Email Parameter Plugin 1.10 and earlier does not escape the name and description of its parameter type.

Additionally, it disables the security hardening added in Jenkins 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix that protects the "Build With Parameters" and "Parameters" pages from vulnerabilities like this by default.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-34791

CVE-2022-34791:

8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-34791

GHSA ID

GHSA-hqmp-vxj7-5wpq

EPSS Score

0.94299%

CWE

CWE-79

Published

7/1/2022

Updated

1/28/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.jenkins.plugins:validating-email-parameter	maven	<= 1.10

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability explicitly stems from unescaped parameter names/descriptions in the plugin's UI rendering. Jenkins plugins typically handle parameter metadata via ParameterDefinition subclasses and Jelly views. The advisory confirms the plugin disables core security hardening (SECURITY-353/CVE-2017-2601), which enforced escaping in parameter displays. This implies the plugin's implementation overrides default secure rendering mechanisms, likely in its Jelly templates (e.g., using ${parameter.name} without escape attributes) or Java code returning raw strings. While exact code isn't provided, the pattern matches known Jenkins XSS vulnerabilities where parameter metadata is rendered without contextual output encoding.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-34791: Cross-site Scripting in Jenkins Validating Email Parameter Plugin

CVE-2022-34791:

8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2022-34791: Cross-site Scripting in Jenkins Validating Email Parameter Plugin

8

8

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI