CVE-2022-34171

CWE-79Cross-site Scripting (XSS)CWE-22Path Traversal6 documents6 sources
Severity
5.4MEDIUM
EPSS
3.2%
top 12.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project JenkinsJenkins Jenkins
Timeline
PublishedJun 23
Latest updateJun 24

Description

In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the 'title' attribute of 'l:ionicon' (until Jenkins 2.334) and 'alt' attribute of 'l:icon' (since Jenkins 2.335) without further escaping, resulting in a cross-site scripting (XSS) vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

CVEListV5jenkins_project/jenkins2.321unspecified+3
Mavenorg.jenkins-ci.main:jenkins-core2.3502.356+2
NVDjenkins/jenkins2.3212.355+1

🔴Vulnerability Details

3
OSV
Cross-site Scripting vulnerability in Jenkins2022-06-24
GHSA
Cross-site Scripting vulnerability in Jenkins2022-06-24
CVEList
CVE-2022-34171: In Jenkins 22022-06-22

📋Vendor Advisories

2
Red Hat
Jenkins: Cross-site scripting (XSS) vulnerability in Jenkins LTS2022-06-22
Jenkins
Jenkins Security Advisory 2022-06-222022-06-22
CVE-2022-34171 (MEDIUM CVSS 5.4) | In Jenkins 2.321 through 2.355 (bot | cvebase.io