Loading HuntDB...

GHSA-88qj-3q6h-8m5q

GitHub Security Advisory

Jenkins Build Environment Plugin vulnerable to Cross-site Scripting

✓ GitHub Reviewed MODERATE Has CVE

Advisory Details

Build Environment Plugin did not escape values of environment variables shown on its views. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the values of build environment variables, typically users with Job/Configure or Job/Build permission.

Jenkins applies the missing escaping by default since 2.146 and LTS 2.138.2, so newer Jenkins releases are not affected by this vulnerability.

Build Environment Plugin now escapes all variables displayed in its views.

Affected Packages

Maven org.jenkins-ci.plugins:build-environment
Affected versions: 0 (fixed in 1.7)

Related CVEs

Key Information

GHSA ID
GHSA-88qj-3q6h-8m5q
Published
May 24, 2022 4:55 PM
Last Modified
March 2, 2023 4:41 PM
CVSS Score
5.0 /10
Primary Ecosystem
Maven
Primary Package
org.jenkins-ci.plugins:build-environment
GitHub Reviewed
✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.