CVE-2022-43420 in Contrast Continuous Application Security Plugin
Summary
by MITRE • 10/19/2022
Jenkins Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned from the Contrast service when generating a report, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control or modify Contrast service API responses.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/09/2025
The Jenkins Contrast Continuous Application Security Plugin vulnerability CVE-2022-43420 represents a critical stored cross-site scripting flaw that emerges from inadequate input sanitization within the plugin's report generation mechanism. This vulnerability affects versions 3.9 and earlier of the Contrast plugin, which integrates with Jenkins to provide continuous application security monitoring and reporting capabilities. The flaw manifests when the plugin processes data returned from the Contrast service during report creation, failing to properly escape or sanitize output that originates from external API responses.
The technical nature of this vulnerability stems from the plugin's failure to implement proper output encoding when incorporating data from the Contrast service into HTML report content. This creates an environment where malicious actors who can influence or manipulate the Contrast service API responses can inject malicious scripts that persist within the generated reports. The stored nature of this XSS vulnerability means that once a malicious payload is injected into the Contrast service response, it will be executed whenever any user views the affected report, regardless of whether they have elevated privileges or are authenticated within Jenkins.
From an operational impact perspective, this vulnerability exposes Jenkins environments to significant security risks as it allows attackers to execute arbitrary JavaScript code within the context of a victim's browser session. The attacker could potentially steal session cookies, perform actions on behalf of authenticated users, redirect victims to malicious sites, or extract sensitive information from the Jenkins environment. The vulnerability is particularly concerning because it leverages the Contrast service as an attack vector, making it possible for adversaries to exploit the trust relationship between Jenkins and the Contrast service to deliver malicious payloads.
The flaw aligns with CWE-79 which specifically addresses cross-site scripting vulnerabilities, and maps to ATT&CK technique T1566.001 for credential access through spearphishing attachments or links. This vulnerability represents a classic case of insufficient output escaping in web applications where user-controllable data is directly embedded into HTML content without proper sanitization. The security implications extend beyond simple script execution as attackers could potentially leverage this vulnerability to escalate privileges, access restricted resources, or establish persistent access points within the Jenkins environment. Organizations utilizing the Contrast plugin must consider this vulnerability as a critical threat requiring immediate remediation.
Mitigation strategies should include immediate upgrade to plugin versions 3.10 or later where the XSS vulnerability has been addressed through proper output escaping mechanisms. Additionally, administrators should implement network-level controls to restrict access to the Contrast service API endpoints and consider implementing web application firewalls to detect and prevent malicious payloads. Regular security auditing of plugin configurations and monitoring for anomalous API responses from the Contrast service should also be implemented as part of comprehensive defense-in-depth strategies. The vulnerability demonstrates the critical importance of proper input validation and output encoding in preventing XSS attacks, particularly when dealing with data from external services that may be compromised or manipulated by adversaries.