CVE-2022-34173 — Cross-site Scripting in Project Jenkins

CWE-79 — Cross-site Scripting CWE-22 — Path Traversal6 documents6 sources

Severity

5.4MEDIUMNVD

EPSS

9.1%

top 7.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Jenkins

Timeline

PublishedJun 23

Latest updateJun 24

Description

In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins2.340 — unspecified+1

▶NVDjenkins/jenkins2.340 — 2.355

🔴Vulnerability Details

GHSA

Cross-site Scripting vulnerability in Jenkins↗2022-06-24

▶

OSV

Cross-site Scripting vulnerability in Jenkins↗2022-06-24

▶

CVEList

CVE-2022-34173: In Jenkins 2↗2022-06-22

▶

📋Vendor Advisories

Red Hat

Jenkins: Cross-site scripting (XSS) vulnerability in Jenkins LTS↗2022-06-22

▶

Jenkins

Jenkins Security Advisory 2022-06-22↗2022-06-22

▶