CVE-2022-38664: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

August 24, 2022 (updated November 28, 2022)

Jenkins Job Configuration History Plugin 1165.v8cc9fd1f4597 and earlier does not escape the job name on the System Configuration History page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure job names.

References

www.openwall.com/lists/oss-security/2022/08/23/2
github.com/advisories/GHSA-28w4-h56g-grg7
nvd.nist.gov/vuln/detail/CVE-2022-38664
www.jenkins.io/security/advisory/2022-08-23/

Detect and mitigate CVE-2022-38664 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →