Jenkins CVS Plugin 2.19 and earlier does not escape the name and description of CVS Symbolic Name parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Affected Packages

Maven org.jenkins-ci.plugins:cvs

Affected versions: 0 (fixed in 2.19.1)

Related CVEs

CVE-2022-29037

Key Information

GHSA ID

GHSA-ghq2-m3pq-qf3p

Published

April 13, 2022 12:00 AM

Last Modified

May 3, 2022 8:52 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:cvs

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 4, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.