CVE-2022-29041: 
Java vulnerability analysis and mitigation

Jenkins Jira Plugin versions 3.7 and earlier, except version 3.6.1, contained a stored cross-site scripting (XSS) vulnerability identified as CVE-2022-29041. The vulnerability was discovered and disclosed in April 2022, affecting the parameter handling functionality of the plugin. The issue specifically involved the plugin's failure to properly escape the name and description of Jira Issue and Jira Release Version parameters on views displaying parameters (Jenkins Advisory).

The vulnerability stems from improper input sanitization where the plugin fails to escape the name and description of Jira Issue and Jira Release Version parameters when they are displayed on parameter views. This creates a stored XSS vulnerability that can be exploited by attackers who have Item/Configure permission. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows attackers with Item/Configure permission to execute stored cross-site scripting attacks through parameter names and descriptions. Successful exploitation requires that parameters are listed on pages such as 'Build With Parameters' and 'Parameters' pages, and that these pages are not hardened against such attacks (Jenkins Advisory).

The vulnerability has been fixed in Jenkins Jira Plugin versions 3.7.1 and 3.6.1. Users are advised to upgrade to these patched versions which properly escape the name and description of the parameter types they provide. The fix ensures proper input sanitization for Jira Issue and Jira Release Version parameters (Jenkins Advisory).