CVE-2022-34170Cross-site Scripting in Project Jenkins

CWE-79Cross-site ScriptingCWE-22Path Traversal6 documents6 sources
Severity
5.4MEDIUMNVD
EPSS
3.8%
top 11.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project JenkinsJenkins
Timeline
PublishedJun 23
Latest updateJun 24

Description

In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

CVEListV5jenkins_project/jenkins2.320unspecified+3
NVDjenkins/jenkins2.3202.355+1

🔴Vulnerability Details

3
OSV
Cross-site Scripting vulnerability in Jenkins2022-06-24
GHSA
Cross-site Scripting vulnerability in Jenkins2022-06-24
CVEList
CVE-2022-34170: In Jenkins 22022-06-22

📋Vendor Advisories

2
Red Hat
Jenkins: Cross-site scripting (XSS) vulnerability in Jenkins LTS2022-06-22
Jenkins
Jenkins Security Advisory 2022-06-222022-06-22
CVE-2022-34170 — Cross-site Scripting | cvebase