CVE-2022-34172
published 2022-06-23CVE-2022-34172: In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of 'tooltip' parameters, resulting in a cross-site…
PriorityP424medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
1.35%
68.0th percentile
In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of 'tooltip' parameters, resulting in a cross-site scripting (XSS) vulnerability.
Affected
33 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | agent_server_parameter_plugin | — | — |
| jenkins | beaker_builder_plugin | — | — |
| jenkins | convertigo_mobile_platform_plugin | — | — |
| jenkins | crx_content_package_deployer_plugin | — | — |
| jenkins | date_parameter_plugin | — | — |
| jenkins | dynamic_extended_choice_parameter_plugin | — | — |
| jenkins | easyqa_plugin | — | — |
| jenkins | embeddable_build_status_plugin | — | — |
| jenkins | filesystem_list_parameter_plugin | — | — |
| jenkins | hidden_parameter_plugin | — | — |
| jenkins | image_tag_parameter_plugin | — | — |
| jenkins | improper_authorization_in_embeddable_build_status_plugin | — | — |
| jenkins | input_step_plugin | — | — |
| jenkins | jenkins | 2.340 – 2.355 | — |
| jenkins | jenkins_ci_server_plugin | — | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | jianliao_notification_plugin | — | — |
| jenkins | junit_plugin | — | — |
| jenkins | maven_metadata_plugin | — | — |
| jenkins | nested_view_plugin | — | — |
| jenkins | ns-nd_integration_performance_publisher_plugin | — | — |
| jenkins | orchestrator_plugin | — | — |
| jenkins | package_version_plugin | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Cross-site Scripting vulnerability in Jenkins
osv·2022-06-24
CVE-2022-34172 [HIGH] Cross-site Scripting vulnerability in Jenkins
Cross-site Scripting vulnerability in Jenkins
Since Jenkins 2.340, symbol-based icons unescape previously escaped values of `tooltip` parameters.
This vulnerability is known to be exploitable by attackers with Job/Configure permission.
Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses this vulnerability. Symbol-based icons no longer unescape values of `tooltip` parameters.
GHSA
Cross-site Scripting vulnerability in Jenkins
ghsa·2022-06-24
CVE-2022-34172 [HIGH] CWE-22 Cross-site Scripting vulnerability in Jenkins
Cross-site Scripting vulnerability in Jenkins
Since Jenkins 2.340, symbol-based icons unescape previously escaped values of `tooltip` parameters.
This vulnerability is known to be exploitable by attackers with Job/Configure permission.
Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses this vulnerability. Symbol-based icons no longer unescape values of `tooltip` parameters.
Red Hat
Jenkins: Cross-site scripting (XSS) vulnerability in Jenkins LTS
vendor_redhat·2022-06-22·CVSS 5.4
CVE-2022-34172 [MEDIUM] CWE-79 Jenkins: Cross-site scripting (XSS) vulnerability in Jenkins LTS
Jenkins: Cross-site scripting (XSS) vulnerability in Jenkins LTS
In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of 'tooltip' parameters, resulting in a cross-site scripting (XSS) vulnerability.
Statement: This vulnerability affects the Jenkins 2.340 through 2.355 (both inclusive). Red Hat products use Jenkins version 2.319 which is NOT affected by this vulnerability.
Package: jenkins (Red Hat OpenShift Container Platform 3.11) - Not affected
Package: jenkins (Red Hat OpenShift Container Platform 4) - Not affected
Jenkins
Jenkins Security Advisory 2022-06-22
vendor_jenkins·2022-06-22·CVSS 5.4
CVE-2017-2601 [MEDIUM] Jenkins Security Advisory 2022-06-22
Title: Jenkins Security Advisory 2022-06-22
Jenkins Security Advisory 2022-06-22
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
Agent Server Parameter
Plugin
Beaker builder
Plugin
Convertigo Mobile Platform
Plugin
CRX Content Package Deployer
Plugin
Date Parameter
Plugin
Dynamic
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-06-23
Published