Cyber Resilience

CVE-2022-41240

Medium

Published: 21 September 2022

Published
21 September 2022
Modified
28 May 2025
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.1625 95.0th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-41240 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Jenkins Walti. Its CVSS base score is 5.4 (Medium).

Operationally, ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Jenkins Walti Plugin 1.0.1 and earlier contains a stored cross-site scripting vulnerability because it does not escape data returned by the Walti API. The flaw is tracked as CVE-2022-41240 with CWE-79 and carries a CVSS 3.1 base score of 5.4.

Attackers who can influence or supply malicious responses from the Walti API are able to store executable scripts that execute in the browsers of other Jenkins users, resulting in limited confidentiality and integrity impacts under the given attack vector.

The Jenkins security advisory published on 2022-09-21 details the issue and is available at the referenced URL. The associated EPSS score has remained flat at 0.1625 with no material increase after disclosure.

EU & UK References

Vulnerability details

Jenkins Walti Plugin 1.0.1 and earlier does not escape the information provided by the Walti API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide malicious API responses from Walti.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

jenkins
walti
≤ 1.0.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References