CVE-2022-41240
Published: 21 September 2022
Summary
CVE-2022-41240 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Jenkins Walti. Its CVSS base score is 5.4 (Medium).
Operationally, ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Jenkins Walti Plugin 1.0.1 and earlier contains a stored cross-site scripting vulnerability because it does not escape data returned by the Walti API. The flaw is tracked as CVE-2022-41240 with CWE-79 and carries a CVSS 3.1 base score of 5.4.
Attackers who can influence or supply malicious responses from the Walti API are able to store executable scripts that execute in the browsers of other Jenkins users, resulting in limited confidentiality and integrity impacts under the given attack vector.
The Jenkins security advisory published on 2022-09-21 details the issue and is available at the referenced URL. The associated EPSS score has remained flat at 0.1625 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6736
Vulnerability details
Jenkins Walti Plugin 1.0.1 and earlier does not escape the information provided by the Walti API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide malicious API responses from Walti.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.