CVE-2022-45382 in Naginator Plugin
Summary
by MITRE • 11/15/2022
Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to edit build display names.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/30/2025
The vulnerability identified as CVE-2022-45382 affects the Jenkins Naginator Plugin version 1.18.1 and earlier, presenting a stored cross-site scripting vulnerability that stems from inadequate input sanitization within the plugin's handling of build display names. This issue specifically manifests when builds are triggered through the Retry action functionality, where the plugin fails to properly escape or sanitize the display names of source builds before rendering them in the user interface. The flaw allows attackers with sufficient privileges to modify build display names to inject malicious scripts that persist in the system and execute in the context of other users who view the affected build information.
The technical exploitation of this vulnerability occurs through the manipulation of build display names within the Jenkins environment, where the Naginator plugin does not implement proper output encoding or sanitization mechanisms for user-provided content. When a build is retried and the source build's display name contains malicious script code, this content is stored in the system and subsequently rendered without proper escaping, creating a stored XSS vector. The vulnerability is particularly concerning because it requires only the ability to edit build display names, which in many Jenkins environments can be granted to users with relatively low privileges, making the attack surface broader than initially apparent. This weakness directly corresponds to CWE-79, which defines Cross-Site Scripting vulnerabilities as a result of improper sanitization of user-controllable input data.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to potentially steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users within the Jenkins environment. Attackers could leverage this vulnerability to escalate their privileges or access sensitive build information, configuration details, or other system resources that are typically protected by the Jenkins access control mechanisms. The stored nature of this XSS vulnerability means that the malicious scripts persist in the system and can affect multiple users over time, unlike reflected XSS attacks that require specific user interaction. This makes the vulnerability particularly dangerous in multi-user environments where Jenkins serves as a central automation platform for development teams.
Mitigation strategies for CVE-2022-45382 should prioritize immediate plugin updates to versions that address the XSS vulnerability through proper input sanitization and output encoding mechanisms. Organizations should also implement additional security measures such as restricting user privileges to modify build display names, implementing content security policies to limit script execution, and conducting regular security audits of Jenkins plugins to identify similar vulnerabilities. The Jenkins security team has addressed this issue in later plugin versions, and organizations should ensure they are running patched versions to prevent exploitation. Additionally, implementing proper input validation and output encoding practices in custom Jenkins plugins can help prevent similar issues in the future. The vulnerability highlights the importance of secure coding practices and proper sanitization of user-controllable data, particularly in web applications where user input is rendered in the browser context, aligning with ATT&CK technique T1211 which covers exploitation of web application vulnerabilities through XSS vectors.