Fluid Attacks Database

Description

Cross-site Scripting vulnerability in Jenkins Since Jenkins 2.320 and LTS 2.332.1, help icon tooltips no longer escape the feature name, effectively undoing the fix for SECURITY-1955.

This vulnerability is known to be exploitable by attackers with Job/Configure permission.

Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses this vulnerability, the feature name in help icon tooltips is now escaped.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jenkins-ci.main:jenkins-core	>=2.350 <2.356 \|\| >=2.320 <2.332.4 \|\| >=2.346 <2.346.1	2.356, 2.332.4, 2.346.1

Aliases

1. CVE-2022-341702. NVD-2022-341703. OSV-2022-341704. GCVE-2022-34170

References

1. https://github.com/jenkinsci/jenkins/commit/f71495a63f8b861e8ca3a5fcf5cc931fce55bc572. https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2781

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.