CVE-2022-34196 in REST List Parameter Plugin
Summary
by MITRE • 06/23/2022
Jenkins REST List Parameter Plugin 1.5.2 and earlier does not escape the name and description of REST list parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/14/2022
The vulnerability identified as CVE-2022-34196 affects the Jenkins REST List Parameter Plugin version 1.5.2 and earlier, presenting a critical stored cross-site scripting flaw that undermines the security integrity of Jenkins environments. This issue stems from inadequate input sanitization within the plugin's parameter handling mechanisms, specifically when rendering parameter names and descriptions in web views. The vulnerability is particularly concerning because it allows attackers with minimal privileges - specifically the Item/Configure permission level - to execute malicious scripts within the context of other users' browsers, potentially leading to unauthorized access to sensitive information or system compromise.
The technical flaw manifests when REST list parameters are configured and displayed within Jenkins interfaces, where the plugin fails to properly escape special characters in parameter metadata. This omission creates a persistent XSS vector that remains active until the affected parameters are modified or removed. The vulnerability operates under CWE-79 which classifies the weakness as "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", specifically targeting stored XSS scenarios where malicious payloads are permanently stored and executed during subsequent page views. The ATT&CK framework categorizes this as a technique under T1566.001 "Phishing via Service" and T1584.002 "Compromise Software Supply Chain", as attackers can leverage this vulnerability to deliver malicious payloads to unsuspecting users who view parameter lists.
The operational impact of CVE-2022-34196 extends beyond simple script execution, as it can enable attackers to escalate privileges, steal session cookies, perform unauthorized actions within Jenkins, and potentially access other systems through lateral movement. Users with Item/Configure permissions can manipulate parameter definitions to include malicious JavaScript code that executes whenever other users view the parameter lists, creating a persistent threat vector. The vulnerability affects Jenkins installations that utilize the REST List Parameter Plugin, making it particularly relevant for organizations that rely on parameterized builds and external API integrations. The stored nature of the vulnerability means that the malicious payloads remain active indefinitely until manually removed, providing attackers with sustained access to compromised environments.
Organizations should immediately upgrade to Jenkins REST List Parameter Plugin version 1.5.3 or later, which contains the necessary patches to properly escape parameter names and descriptions. System administrators should also implement additional security controls such as regular security audits of Jenkins configurations, monitoring for suspicious parameter modifications, and enforcing least privilege access controls. Network segmentation and web application firewalls can provide additional layers of protection against exploitation attempts. The vulnerability highlights the importance of input validation and output escaping in web applications, particularly in environments where users can configure system parameters that are subsequently displayed to other users. Security teams should also consider implementing automated scanning tools to identify potentially vulnerable Jenkins installations and ensure that all plugins are kept current with security updates.