CVE-2022-43409

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline: Supporting APIs Plugin versions 838.va 3a 087b 4055b and earlier

Description The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because the Jenkins Pipeline: Supporting APIs Plugin does not properly sanitize or encode URLs of hyperlinks that send POST requests in build logs. This vulnerability is exploitable by attackers who have the ability to create Pipelines. The plugin provides features to add hyperlinks to build logs, which are used by other plugins to allow users to interact with builds. However, the failure to properly encode these URLs results in the vulnerability.

Recommendations For versions 838.va 3a 087b 4055b and earlier, update to version 839.v35e2736cfd5c or later, which properly encodes URLs of hyperlinks in build logs. As a temporary workaround, consider restricting the ability to create Pipelines to trusted users until the update can be applied.