CVE-2022-34190

Name of the Vulnerable Software and Affected Versions Jenkins Maven Metadata Plugin for Jenkins CI server Plugin versions 2.1 and earlier

Description The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because the plugin does not escape the name and description of List maven artifact versions parameters on views displaying parameters. This vulnerability is exploitable by attackers with Item/Configure permission. Exploitation requires that parameters are listed on another page and that those pages are not hardened to prevent exploitation.

Recommendations For Jenkins Maven Metadata Plugin for Jenkins CI server Plugin versions 2.1 and earlier, consider disabling the listing of parameters on views displaying parameters until a patch is available. Restrict access to the List maven artifact versions parameters to minimize the risk of exploitation. Ensure that the Jenkins core version is updated to at least 2.44 or LTS 2.32.2, which prevents exploitation of vulnerabilities of this kind on the "Build With Parameters" and "Parameters" pages. At the moment, there is no information about a newer version that contains a fix for this vulnerability.