CVE-2022-34170

HIGH8.0EPSS 1.8%

Cross-site Scripting vulnerability in Jenkins

Published: 6/24/2022Modified: 4/3/2025

Description

In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Affected packages (2)

Bitnami/jenkins>= 2.320.0, < 2.355.1
Maven/org.jenkins-ci.main:jenkins-core>= 2.350, < 2.356

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-34170
PATCHhttps://github.com/jenkinsci/jenkins
WEBhttps://github.com/jenkinsci/jenkins/commit/f71495a63f8b861e8ca3a5fcf5cc931fce55bc57
WEBhttps://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2781