CVE-2022-46684: 
Java vulnerability analysis and mitigation

Jenkins Checkmarx Plugin version 2022.3.3 and earlier contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2022-46684. The vulnerability was discovered and disclosed on December 7, 2022, affecting the HTML report generation functionality of the plugin. This security issue impacts Jenkins installations using the affected versions of the Checkmarx Plugin (Jenkins Advisory).

The vulnerability stems from the plugin's failure to properly escape values returned from the Checkmarx service API before inserting them into HTML reports. The severity is rated as High according to CVSS metrics, with a base score of 5.4 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). The technical issue lies in the HTML report generation process where unescaped API response values are directly inserted into the reports, creating an XSS vulnerability (NVD).

While the vulnerability requires Jenkins users to have Overall/Administer permission to configure the URL to the Checkmarx service, it remains exploitable through man-in-the-middle attacks. This could potentially allow attackers to execute malicious scripts in the context of users viewing the generated HTML reports (Jenkins Advisory).

The vulnerability has been fixed in Checkmarx Plugin version 2022.4.3, which properly escapes values returned from the Checkmarx service API before inserting them into HTML reports. Users are strongly advised to upgrade to this version or later to mitigate the security risk (Jenkins Advisory).