CVE-2022-29036: 
Java vulnerability analysis and mitigation

CVE-2022-29036 is a stored cross-site scripting (XSS) vulnerability discovered in the Jenkins Credentials Plugin versions 1111.v35a307992395 and earlier, except for versions 1087.1089.v2f1b9ab040e4, 1074.1076.v39c30cecb_0e2, and 2.6.1.1. The vulnerability was disclosed on April 12, 2022, affecting the Jenkins Credentials Plugin's parameter handling functionality (Jenkins Advisory).

The vulnerability occurs because the plugin does not properly escape the name and description of Credentials parameters on views displaying parameters. This security flaw has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability requires that parameters are listed on pages like 'Build With Parameters' and 'Parameters' pages, and that those pages are not hardened to prevent exploitation (NVD).

The vulnerability allows attackers with Item/Configure permission to execute stored cross-site scripting (XSS) attacks through the manipulation of parameter names and descriptions. This could potentially lead to the compromise of user sessions and unauthorized actions within the Jenkins environment (Jenkins Advisory).

The vulnerability has been fixed in multiple versions of the Credentials Plugin: 1112.vc87b7a3597f6, 1087.1089.v2f1b9ab040e4, 1074.1076.v39c30cecb0e2, and 2.6.1.1. Users are advised to upgrade to one of these fixed versions to protect against this vulnerability. The fix involves proper escaping of parameter names and descriptions in the affected views (Jenkins Advisory).