CVE-2022-28149: 
Java vulnerability analysis and mitigation

CVE-2022-28149 affects the Jenkins Job and Node ownership Plugin versions 0.13.0 and earlier. The vulnerability was discovered and reported by Kevin Guerroudj, and was publicly disclosed on March 29, 2022. This security issue is identified as a stored cross-site scripting (XSS) vulnerability in the plugin's handling of secondary owner names (Jenkins Advisory, NVD).

The vulnerability is classified as a stored cross-site scripting (XSS) vulnerability with a CVSS v3.1 base score of 5.4 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The technical issue stems from the plugin's failure to properly escape the names of secondary owners, which creates an XSS vulnerability that can be exploited by attackers who have Item/Configure permission (Jenkins Advisory).

The vulnerability allows attackers with Item/Configure permission to execute arbitrary JavaScript code in the context of other users' browsers who view the affected pages. This could potentially lead to unauthorized access, data theft, or manipulation of Jenkins interface elements (Jenkins Advisory).

As of the advisory publication date, there was no fix available for this vulnerability in the Job and Node ownership Plugin. Users are advised to monitor for updates and consider restricting access to Item/Configure permissions to trusted users only (Jenkins Advisory).