CVE-2022-29045

Name of the Vulnerable Software and Affected Versions Jenkins promoted builds Plugin versions 873.v6149db d64130 and earlier, except version 3.10.1

Description The issue results in a stored cross-site scripting (XSS) vulnerability, which can be exploited by attackers with Item/Configure permission. This occurs because the name and description of Promoted Build parameters on views displaying parameters are not properly escaped. Exploitation requires that parameters are listed on another page, like the "Build With Parameters" and "Parameters" pages provided by Jenkins (core), and that those pages are not hardened to prevent exploitation. However, Jenkins (core) has prevented exploitation of vulnerabilities of this kind on the "Build With Parameters" and "Parameters" pages since version 2.44 and LTS 2.32.2.

Recommendations For Jenkins promoted builds Plugin versions 873.v6149db d64130 and earlier, except version 3.10.1, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.