Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values. Custom Build Properties Plugin 2.82.v16d5b_d3590c7 escapes property values and build display names on the Custom Build Properties and Build Summary pages.

Affected Packages

Maven io.jenkins.plugins:custom-build-properties

Affected versions: 0 (fixed in 2.82.v16d5b)

Related CVEs

CVE-2022-46686

Key Information

GHSA ID

GHSA-5g2c-j6v9-vf94

Published

December 12, 2022 9:30 AM

Last Modified

December 12, 2022 10:16 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

io.jenkins.plugins:custom-build-properties

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.