CVE-2022-34173 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=2.340 <2.356

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.11821 pctl0.93467

Details

Cross-site Scripting vulnerability in Jenkins Since Jenkins 2.340, the tooltip of the build button in list views supports HTML without escaping the job display name. This vulnerability is known to be exploitable by attackers with Job/Configure permission. Jenkins 2.356 addresses this vulnerability. The tooltip of the build button in list views is now escaped. No Jenkins LTS release is affected by SECURITY-2776 or SECURITY-2780, as these were not present in Jenkins 2.332.x and fixed in the 2.346.x line before 2.346.1.

Metadata

Created: 2022-06-24T00:00:31Z
Modified: 2022-12-05T23:51:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-6g4r-q7qg-6qx6/GHSA-6g4r-q7qg-6qx6.json
CWE IDs: ["CWE-22", "CWE-79"]
Alternative ID: GHSA-6g4r-q7qg-6qx6
Finding: F008
Auto approve: 1