vulnerability
Jenkins Advisory 2022-06-22: CVE-2022-34170: CVE-2022-34171: CVE-2022-34172: CVE-2022-34173: Multiple XSS vulnerabilities
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:N/C:N/I:P/A:N) | Jun 23, 2022 | Jul 12, 2022 | Mar 27, 2026 |
Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Published
Jun 23, 2022
Added
Jul 12, 2022
Modified
Mar 27, 2026
Description
In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Solutions
jenkins-lts-upgrade-2_332_4jenkins-upgrade-2_356
References
- CVE-2022-34170
- https://attackerkb.com/topics/CVE-2022-34170
- CVE-2022-34171
- https://attackerkb.com/topics/CVE-2022-34171
- CVE-2022-34172
- https://attackerkb.com/topics/CVE-2022-34172
- CVE-2022-34173
- https://attackerkb.com/topics/CVE-2022-34173
- CWE-79
- EUVD-EUVD-2022-5949
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2022-5949
- https://jenkins.io/security/advisory/2022-06-22/
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.