CVE-2022-41239

Name of the Vulnerable Software and Affected Versions Jenkins DotCi Plugin versions 2.40.00 and earlier

Description The issue results in a stored cross-site scripting (XSS) vulnerability due to the failure to escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause. This vulnerability is exploitable by attackers able to submit crafted commit notifications to the "/githook/" endpoint. The vulnerability is only exploitable in certain versions of Jenkins, specifically 2.314 and earlier, and LTS 2.303.1 and earlier.

Recommendations For Jenkins DotCi Plugin versions 2.40.00 and earlier, consider disabling the display of commit notifications in the build cause until a patch is available. Restrict access to the "/githook/" endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the GitHub user name parameter in commit notifications until the issue is resolved. For Jenkins versions 2.314 and earlier, and LTS 2.303.1 and earlier, follow the LTS upgrade guide to upgrade to a newer version.