logo

Database

Reflected cross-site scripting (XSS) In org.jenkins-ci.main:jenkins-core

Description

Cross-site Scripting vulnerability in Jenkins Since Jenkins 2.340, the tooltip of the build button in list views supports HTML without escaping the job display name.

This vulnerability is known to be exploitable by attackers with Job/Configure permission.

Jenkins 2.356 addresses this vulnerability. The tooltip of the build button in list views is now escaped.

No Jenkins LTS release is affected by SECURITY-2776 or SECURITY-2780, as these were not present in Jenkins 2.332.x and fixed in the 2.346.x line before 2.346.1.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-341732. NVD-2022-341733. OSV-2022-341734. GCVE-2022-34173

References

1. https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2781

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.