promoted builds Plugin 873.v6149db_d64130 and earlier does not validate the names of promotions defined in Job DSL. This allows attackers with Job/Configure permission to create a promotion with an unsafe name. As a result, the promotion name could be used for cross-site scripting (XSS) or to replace other `config.xml` files.

promoted builds Plugin 876.v99d29788b_36b_ and 3.10.1 validates the name of promotions.

Affected Packages

Maven org.jenkins-ci.plugins:promoted-builds

Affected versions: 0 (fixed in 3.10.1)

Maven org.jenkins-ci.plugins:promoted-builds

Affected versions: 3.11 (fixed in 876.v99d29788b)

Related CVEs

CVE-2022-29049

Key Information

GHSA ID

GHSA-jmxr-w2jc-qp7w

Published

April 13, 2022 12:00 AM

Last Modified

May 22, 2023 7:32 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:promoted-builds

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.