CVE-2022-29039

Name of the Vulnerable Software and Affected Versions Jenkins Gerrit Trigger Plugin versions 2.35.2 and earlier

Description The issue results in a stored cross-site scripting (XSS) vulnerability, which can be exploited by attackers with Item/Configure permission. This occurs because the plugin does not escape the name and description of parameters on views displaying parameters. Exploitation requires that parameters are listed on another page and that those pages are not hardened to prevent exploitation.

Recommendations For Jenkins Gerrit Trigger Plugin versions 2.35.2 and earlier, update to a version later than 2.35.2 to resolve the issue. As a temporary workaround, consider restricting access to the 'Build With Parameters' and 'Parameters' pages provided by Jenkins (core) until a patch is available. Restrict Item/Configure permission to minimize the risk of exploitation.