CVE-2022-29039: 
Java vulnerability analysis and mitigation

Jenkins Gerrit Trigger Plugin version 2.35.2 and earlier contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2022-29039. The vulnerability was discovered and disclosed on April 12, 2022, affecting the parameter handling functionality of the plugin. The issue specifically relates to the plugin's failure to properly escape the name and description of Base64 Encoded String parameters on views displaying parameters (Jenkins Advisory).

The vulnerability stems from improper escaping of parameter names and descriptions in the Gerrit Trigger Plugin. The issue is classified with a High severity CVSS rating. The vulnerability specifically affects views that display parameters, such as the 'Build With Parameters' and 'Parameters' pages. Exploitation requires that parameters are listed on another page and that those pages are not hardened against such attacks (Jenkins Advisory).

The vulnerability results in a stored cross-site scripting (XSS) vulnerability that can be exploited by attackers who have Item/Configure permission. When successfully exploited, it allows attackers to execute arbitrary JavaScript code in the context of other users' browsers who view the affected parameter pages (Jenkins Advisory).

The vulnerability has been fixed in Gerrit Trigger Plugin version 2.35.3. Users are strongly advised to upgrade to this version to address the security issue. The fix involves properly escaping the name and description of the parameter types provided by the plugin (Jenkins Advisory).