Cyber Resilience

CVE-2022-30956

Medium

Published: 17 May 2022

Published
17 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0019 40.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-30956 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Jenkins Rundeck. Its CVSS base score is 5.4 (Medium).

Operationally, ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is a stored cross-site scripting flaw in the Jenkins Rundeck Plugin versions 3.6.10 and earlier. It stems from a lack of URL scheme restrictions when processing Rundeck webhook submissions, allowing malicious payloads to be stored and later rendered in Jenkins user interfaces.

Attackers with the ability to submit crafted Rundeck webhook payloads can exploit the issue to inject and execute arbitrary scripts in the context of other users who view the affected Jenkins pages. Successful exploitation can lead to theft of credentials or session tokens and other actions within the Jenkins instance, though the CVSS vector requires some user interaction and limits impact to confidentiality and integrity without affecting availability.

The official Jenkins security advisory recommends upgrading the Rundeck Plugin to a version that enforces proper URL scheme validation for webhook data. Administrators are advised to apply the fix promptly and review any existing webhook configurations for signs of tampering.

The EPSS score for this CVE rose materially from a low baseline to a peak of 0.1406 before receding, indicating a period of increased exploitation interest well after initial disclosure. No evidence of widespread in-the-wild attacks is noted in the provided references.

EU & UK References

Vulnerability details

Jenkins Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted Rundeck webhook payloads.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

jenkins
rundeck
≤ 3.6.10

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References