High severityNVD Advisory· Published Jun 22, 2022· Updated Aug 3, 2024

CVE-2022-34171

Description

In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the 'title' attribute of 'l:ionicon' (until Jenkins 2.334) and 'alt' attribute of 'l:icon' (since Jenkins 2.335) without further escaping, resulting in a cross-site scripting (XSS) vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.main:jenkins-coreMaven	>= 2.350, < 2.356	2.356
org.jenkins-ci.main:jenkins-coreMaven	>= 2.346, < 2.346.1	2.346.1
org.jenkins-ci.main:jenkins-coreMaven	< 2.332.4	2.332.4

Affected products

osv-coords2 versions
pkg:bitnami/jenkins pkg:maven/org.jenkins-ci.main/jenkins-core
>= 2.321.0, < 2.355.1+ 1 more
- (no CPE)range: >= 2.321.0, < 2.355.1
- (no CPE)range: >= 2.350, < 2.356
Jenkins Project/Jenkinscpe-rescue
Range: 2.321

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-7f84-p6r5-jr6qghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-34171ghsaADVISORY
www.jenkins.io/security/advisory/2022-06-22/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000