CVE-2022-30956
Published: 17 May 2022
Summary
CVE-2022-30956 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Jenkins Rundeck. Its CVSS base score is 5.4 (Medium).
Operationally, ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is a stored cross-site scripting flaw in the Jenkins Rundeck Plugin versions 3.6.10 and earlier. It stems from a lack of URL scheme restrictions when processing Rundeck webhook submissions, allowing malicious payloads to be stored and later rendered in Jenkins user interfaces.
Attackers with the ability to submit crafted Rundeck webhook payloads can exploit the issue to inject and execute arbitrary scripts in the context of other users who view the affected Jenkins pages. Successful exploitation can lead to theft of credentials or session tokens and other actions within the Jenkins instance, though the CVSS vector requires some user interaction and limits impact to confidentiality and integrity without affecting availability.
The official Jenkins security advisory recommends upgrading the Rundeck Plugin to a version that enforces proper URL scheme validation for webhook data. Administrators are advised to apply the fix promptly and review any existing webhook configurations for signs of tampering.
The EPSS score for this CVE rose materially from a low baseline to a peak of 0.1406 before receding, indicating a period of increased exploitation interest well after initial disclosure. No evidence of widespread in-the-wild attacks is noted in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-2405
Vulnerability details
Jenkins Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted Rundeck webhook payloads.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.