CVE-2022-34190: 
Java vulnerability analysis and mitigation

Jenkins Maven Metadata Plugin for Jenkins CI server Plugin version 2.1 and earlier contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2022-34190. The vulnerability was disclosed on June 22, 2022, and affects the plugin's handling of List maven artifact versions parameters (Jenkins Advisory, NVD).

The vulnerability stems from the plugin's failure to properly escape the name and description of List maven artifact versions parameters on views displaying parameters. This creates a stored cross-site scripting vulnerability that can be exploited by attackers who have Item/Configure permission. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When successfully exploited, this vulnerability allows attackers with Item/Configure permission to inject malicious HTML and JavaScript code into the Jenkins UI through parameter names and descriptions. The injected code would then be executed when other users view pages displaying these parameters (Jenkins Advisory).

As of the advisory publication date, there was no fix available for the Maven Metadata Plugin for Jenkins CI server Plugin version 2.1 and earlier. However, Jenkins core has implemented protections against this type of vulnerability on the 'Build With Parameters' and 'Parameters' pages since version 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix (Jenkins Advisory).