Security context
High· 8.0GHSA-6g4r-q7qg-6qx6 CVE-2022-34173CWE-22CWE-79Published Jun 24, 2022

Cross-site Scripting vulnerability in Jenkins

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

2.340 → fixed in 2.356

Details

Since Jenkins 2.340, the tooltip of the build button in list views supports HTML without escaping the job display name. This vulnerability is known to be exploitable by attackers with Job/Configure permission. Jenkins 2.356 addresses this vulnerability. The tooltip of the build button in list views is now escaped. No Jenkins LTS release is affected by SECURITY-2776 or SECURITY-2780, as these were not present in Jenkins 2.332.x and fixed in the 2.346.x line before 2.346.1.

The fix

No fix commit could be resolved for this advisory (it may reference an issue tracker or a non-GitHub patch). See the references below.

References