CVE-2022-25191: 
Java vulnerability analysis and mitigation

CVE-2022-25191 is a stored cross-site scripting (XSS) vulnerability discovered in Jenkins Agent Server Parameter Plugin versions 1.0 and earlier. The vulnerability was disclosed on February 15, 2022, affecting the parameter names of agent server parameters in the plugin. This security issue impacts Jenkins installations using the affected plugin versions (Jenkins Advisory).

The vulnerability stems from the plugin's failure to properly escape parameter names of agent server parameters. The severity is rated as High with a CVSS v3.1 Base Score of 5.4 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (NVD).

The vulnerability allows attackers with Item/Configure permission to execute stored cross-site scripting (XSS) attacks through crafted parameter names. This could potentially lead to unauthorized access, data theft, or manipulation of the Jenkins interface for other users (Jenkins Advisory).

The vulnerability has been fixed in Agent Server Parameter Plugin version 1.1, which properly escapes parameter names of agent server parameters. Users are strongly advised to upgrade to this version to mitigate the security risk (Jenkins Advisory).