CVE-2022-34172 — Cross-site Scripting in Project Jenkins

CWE-79 — Cross-site Scripting CWE-22 — Path Traversal6 documents6 sources

Severity

5.4MEDIUMNVD

EPSS

4.8%

top 10.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Jenkins

Timeline

PublishedJun 23

Latest updateJun 24

Description

In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of 'tooltip' parameters, resulting in a cross-site scripting (XSS) vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins2.340 — unspecified+1

▶NVDjenkins/jenkins2.340 — 2.355

🔴Vulnerability Details

OSV

Cross-site Scripting vulnerability in Jenkins↗2022-06-24

▶

GHSA

Cross-site Scripting vulnerability in Jenkins↗2022-06-24

▶

CVEList

CVE-2022-34172: In Jenkins 2↗2022-06-22

▶

📋Vendor Advisories

Red Hat

Jenkins: Cross-site scripting (XSS) vulnerability in Jenkins LTS↗2022-06-22

▶

Jenkins

Jenkins Security Advisory 2022-06-22↗2022-06-22

▶