CVE-2022-36902 — Stored XSS vulnerability in Jenkins Dynamic Extended Choice Parameter plugin

Description

Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier does not escape several fields of Moded Extended Choice parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

How to fix CVE-2022-36902

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2022-36902 being exploited?

Moderate — EPSS is 9.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, <= 1.0.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-36902
PATCHgithub.com/jenkinsci/dynamic-extended-choice-parameter-plugin
WEBwww.jenkins.io/security/advisory/2022-07-27/#SECURITY-2682
WEBwww.openwall.com/lists/oss-security/2022/07/27/1