Fluid Attacks Database

Description

Cross-site Scripting vulnerability in Jenkins Since Jenkins 2.321 and LTS 2.332.1, the HTML output generated for new symbol-based SVG icons includes the title attribute of l:ionicon until Jenkins 2.334 and alt attribute of l:icon since Jenkins 2.335 without further escaping.

This vulnerability is known to be exploitable by attackers with Job/Configure permission.

Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses this vulnerability, the title attribute of l:ionicon (Jenkins LTS 2.332.4) and alt attribute of l:icon (Jenkins 2.356 and LTS 2.346.1) are escaped in the generated HTML output.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jenkins-ci.main:jenkins-core	>=2.350 <2.356 \|\| >=2.346 <2.346.1 \|\| >=0 <2.332.4	2.356, 2.346.1, 2.332.4

Aliases

1. CVE-2022-341712. NVD-2022-341713. OSV-2022-341714. GCVE-2022-34171

References

1. https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2781

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.