Pipeline: Supporting APIs Plugin provides a feature to add hyperlinks, that send POST requests when clicked, to build logs. These links are used by Pipeline: Input Step Plugin to allow users to proceed or abort the build, or by Pipeline: Job Plugin to allow users to forcibly terminate the build after aborting it.

Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Pipelines.

Pipeline: Supporting APIs Plugin 839.v35e2736cfd5c properly encodes URLs of these hyperlinks in build logs.

Affected Packages

Maven org.jenkins-ci.plugins.workflow:workflow-support

Affected versions: 0 (fixed in 839.v35e2736cfd5c)

Related CVEs

CVE-2022-43409

Key Information

GHSA ID

GHSA-64r9-x74q-wxmh

Published

October 19, 2022 7:00 PM

Last Modified

December 16, 2022 5:16 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins.workflow:workflow-support

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 27, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.