[MAVEN:GHSA-MHP7-3393-PFQR] Cross-site Scripting vulnerability in Jenkins

Severity High

Affected Packages 2

Fixed Packages 2

CVEs 1

Since Jenkins 2.340, symbol-based icons unescape previously escaped values of tooltip parameters.

This vulnerability is known to be exploitable by attackers with Job/Configure permission.

Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses this vulnerability. Symbol-based icons no longer unescape values of tooltip parameters.

Package	Affected Version
pkg:maven/org.jenkins-ci.main/jenkins-core	>= 2.332, < 2.332.4
pkg:maven/org.jenkins-ci.main/jenkins-core	>= 2.340, < 2.356

Package	Fixed Version
pkg:maven/org.jenkins-ci.main/jenkins-core	= 2.332.4
pkg:maven/org.jenkins-ci.main/jenkins-core	= 2.356

ID

MAVEN:GHSA-MHP7-3393-PFQR

Severity

high

URL

https://github.com/advisories/GHSA-mhp7-3393-pfqr

Published

2022-06-24T00:00:31
(2 years ago)

Modified

2023-01-31T05:02:39
(19 months ago)

Rights

Maven Security Team

Other Advisories

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2022-34172
			https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2781
			https://github.com/advisories/GHSA-mhp7-3393-pfqr

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	>= 2.332 < 2.332.4
Fixed	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	= 2.332.4
Affected	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	>= 2.340 < 2.356
Fixed	pkg:maven/org.jenkins-ci.main/jenkins-core	org.jenkins-ci.main	jenkins-core	= 2.356

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date