CVE-2022-30960: 
Java vulnerability analysis and mitigation

Jenkins Application Detector Plugin version 1.0.8 and earlier contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2022-30960. The vulnerability was discovered and disclosed on May 17, 2022, affecting the parameter handling functionality of the plugin. The vulnerability specifically relates to the plugin's failure to properly escape the name of Chois Application Version parameters on views displaying parameters (Jenkins Advisory).

The vulnerability stems from improper parameter name escaping in the Application Detector Plugin. The issue manifests when displaying parameter views, where the plugin fails to implement proper escaping mechanisms for the name of Chois Application Version parameters. This vulnerability has been assigned a severity rating of High according to CVSS scoring system (Jenkins Advisory).

The vulnerability results in a stored cross-site scripting (XSS) vulnerability that can be exploited by attackers who have Item/Configure permission in Jenkins. The exploitation requires that parameters are listed on pages such as 'Build With Parameters' and 'Parameters' pages, and that these pages are not hardened against such attacks (Jenkins Advisory).

The vulnerability has been fixed in Application Detector Plugin version 1.0.9, which properly escapes the name and description of parameter types. Users are advised to upgrade to this version to mitigate the vulnerability. Jenkins core has implemented protections against such vulnerabilities since version 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix (Jenkins Advisory).