A stored XSS vulnerability in the Jenkins GitHub Plugin allows authenticated attackers with read permissions to execute arbitrary JavaScript in the context of the application.

This vulnerability involves improper sanitization of job URLs within the GitHub hook trigger feature, allowing an attacker with existing "Overall/Read" permissions to inject malicious scripts that execute in the browser of other users.

Successful exploitation allows an attacker to perform actions on behalf of other users, potentially leading to unauthorized configuration changes or credential theft. With a CVSS score of 9.0, this critical severity reflects the potential for significant compromise of the CI/CD pipeline integrity and associated administrative accounts.

Immediate Action: Update the Jenkins GitHub Plugin to the latest available version as specified by the vendor security advisory.

Proactive Monitoring: Review access logs for suspicious activity involving job configuration changes or unusual URL parameters.

Compensating Controls: Implement strict Content Security Policy (CSP) headers where possible to mitigate the execution of unauthorized scripts.

Public Exploit Available: Unknown

Given the critical nature of this vulnerability and its impact on the development environment, administrators should prioritize patching the GitHub Plugin immediately. Failure to address this flaw could allow attackers to gain elevated control over the Jenkins instance.