CVE-2022-34170
MEDIUMJenkins 2.320-2.355 and LTS 2.332.1-2.332.3 - Cross-Site Scripting in Help Icon Tooltip
Title source: llmDescription
In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2781
Scores
CVSS v3
5.4
EPSS
0.0216
EPSS Percentile
84.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (3)
jenkins/jenkins
2.320 - 2.355
jenkins/jenkins
2.332.1 - 2.332.3
org.jenkins-ci.main/jenkins-core
2.350 - 2.356Maven
Published
Jun 23, 2022
Tracked Since
Feb 18, 2026