CVE-2022-34197

Name of the Vulnerable Software and Affected Versions Jenkins Sauce OnDemand Plugin versions 1.204 and earlier

Description The issue results in a stored cross-site scripting (XSS) vulnerability, which can be exploited by attackers with Item/Configure permission. This occurs because the plugin does not escape the name and description of Sauce Labs Browsers parameters on views displaying parameters. Exploitation requires that parameters are listed on another page, like the "Build With Parameters" and "Parameters" pages provided by Jenkins (core), and that those pages are not hardened to prevent exploitation. It is noted that Jenkins (core) has prevented exploitation of vulnerabilities of this kind on the "Build With Parameters" and "Parameters" pages since version 2.44 and LTS 2.32.2.

Recommendations For Jenkins Sauce OnDemand Plugin versions 1.204 and earlier, update to a version later than 1.204 to resolve the issue. As a temporary workaround, consider restricting access to the "Build With Parameters" and "Parameters" pages provided by Jenkins (core) to minimize the risk of exploitation. Additionally, ensure that the Jenkins (core) version is at least 2.44 or LTS 2.32.2 to prevent exploitation of this vulnerability.