CVE-2022-34778: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

July 1, 2022 (updated July 13, 2022)

Jenkins TestNG Results Plugin 554.va4a552116332 and earlier renders the unescaped test descriptions and exception messages provided in test results if certain job-level options are set, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or control test results.

References

github.com/advisories/GHSA-8hv7-4vfc-w8pg
github.com/jenkinsci/testng-plugin-plugin/commit/a0d5f66521e3bc470047a0b683004ce8889d3369
nvd.nist.gov/vuln/detail/CVE-2022-34778
www.jenkins.io/security/advisory/2022-06-30/

Code Behaviors & Features

Detect and mitigate CVE-2022-34778 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →