CVE-2022-34778

Name of the Vulnerable Software and Affected Versions Jenkins TestNG Results Plugin versions 554.va4a552116332 and earlier

Description The issue is related to a cross-site scripting (XSS) vulnerability. It occurs when the Jenkins TestNG Results Plugin renders unescaped test descriptions and exception messages in test results, provided that certain job-level options are set. This vulnerability can be exploited by attackers who have the ability to configure jobs or control test results.

Recommendations For Jenkins TestNG Results Plugin versions 554.va4a552116332 and earlier, as a temporary workaround, consider disabling the options in the post-build step configuration that allow unescaped test descriptions and exception messages until a patch is available. Administrators who want to restore the functionality to not escape content must set the Java system property hudson.plugins.testng.Publisher.allowUnescapedHTML to true, but this should be done with caution due to the potential for XSS attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.