CVE-2022-29042: 
Java vulnerability analysis and mitigation

Jenkins Job Generator Plugin version 1.22 and earlier contains a stored cross-site scripting (XSS) vulnerability (CVE-2022-29042). The vulnerability was discovered as part of SECURITY-2617 and disclosed on April 12, 2022. The plugin fails to escape the name and description of Generator Parameter and Generator Choice parameters on Job Generator jobs' Build With Parameters views (Jenkins Advisory).

The vulnerability stems from improper neutralization of input during web page generation, specifically in how the plugin handles parameter names and descriptions. It is classified as a stored XSS vulnerability (CWE-79). The vulnerability has a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows attackers with Item/Configure permission to perform stored cross-site scripting attacks. Exploitation requires that parameters are listed on pages like 'Build With Parameters' and 'Parameters' pages, and that those pages are not hardened to prevent exploitation (Jenkins Advisory).

As of the advisory's publication on April 12, 2022, no fix was available for the Job Generator Plugin. Jenkins core has implemented protections against this type of vulnerability on the 'Build With Parameters' and 'Parameters' pages since version 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix (Jenkins Advisory).