CVE-2022-29049

Name of the Vulnerable Software and Affected Versions Jenkins promoted builds Plugin versions 873.v6149db d64130 and earlier, except version 3.10.1

Description The issue allows attackers with Job/Configure permission to create a promotion with an unsafe name, as the names of promotions defined in Job DSL are not validated. This could be used for cross-site scripting (XSS) or to replace other config.xml files.

Recommendations For versions 873.v6149db d64130 and earlier, except version 3.10.1, update to a version that validates the name of promotions, such as version 876.v99d29788b 36b or later. As a temporary workaround, consider restricting the Job/Configure permission to minimize the risk of exploitation. Avoid using unsafe names for promotions until the issue is resolved.