Description
Jenkins Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Remediation
References
https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1976
http://www.openwall.com/lists/oss-security/2020/09/16/3
Related Vulnerabilities
CVE-2021-39235 Vulnerability in maven package org.apache.ozone:ozone-main
CVE-2023-22832 Vulnerability in maven package org.apache.nifi:nifi-ccda-processors
CVE-2022-0155 Vulnerability in npm package follow-redirects
CVE-2020-27826 Vulnerability in maven package org.keycloak:keycloak-core
CVE-2022-31160 Vulnerability in maven package org.webjars:jquery-ui