CVE-2022-34170 — Cross-site Scripting vulnerability in Jenkins

Description

Since Jenkins 2.320 and LTS 2.332.1, help icon tooltips no longer escape the feature name, effectively undoing the fix for [SECURITY-1955](https://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1955). This vulnerability is known to be exploitable by attackers with Job/Configure permission. Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses this vulnerability, the feature name in help icon tooltips is now escaped.

How to fix CVE-2022-34170

To remediate CVE-2022-34170, upgrade the affected package to a fixed version below.

—upgrade to 2.355.1 or later
—upgrade to 2.356 or later

Is CVE-2022-34170 being exploited?

Low — EPSS is 1.8%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 2.320.0, < 2.355.1
>= 2.350, < 2.356

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-34170
PATCHgithub.com/jenkinsci/jenkins
WEBgithub.com/jenkinsci/jenkins/commit/f71495a63f8b861e8ca3a5fcf5cc931fce55bc57
WEBwww.jenkins.io/security/advisory/2022-06-22/#SECURITY-2781