CVE-2022-30970
Published: 17 May 2022
Summary
CVE-2022-30970 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Jenkins Autocomplete Parameter. Its CVSS base score is 5.4 (Medium).
Operationally, ranked at the 44.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Deeper analysis
Jenkins Autocomplete Parameter Plugin 1.1 and earlier is affected by a stored cross-site scripting vulnerability tracked as CVE-2022-30970. The plugin references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions, allowing malicious script to be persisted and later executed in other users' browsers. The issue carries a CVSS 3.1 score of 5.4 and is classified under CWE-79.
Attackers who possess Item/Configure permission on a Jenkins instance can exploit the flaw by supplying crafted parameter names that are stored in job configurations. When other users subsequently view the affected job pages, the injected script executes in their context with the potential to read limited data or perform actions on their behalf within the Jenkins application.
The Jenkins security advisory published on 2022-05-17 recommends that administrators update the Autocomplete Parameter Plugin to a version that resolves SECURITY-2267 and, where immediate patching is not feasible, restrict Item/Configure permissions to trusted users as a temporary control.
The associated EPSS score rose sharply from a low baseline to a peak of 0.3160 on 2025-12-11 before receding, indicating that meaningful exploitation interest developed well after the original disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-3586
Vulnerability details
Jenkins Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure…
more
permission.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.