CVE-2022-34171

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.321 through 2.355 Jenkins LTS versions 2.332.1 through 2.332.3

Description The HTML output generated for new symbol-based SVG icons in Jenkins includes the title attribute of l:ionicon (until Jenkins 2.334) and alt attribute of l:icon (since Jenkins 2.335) without further escaping, resulting in a cross-site scripting (XSS) vulnerability. This issue is known to be exploitable by attackers with Job/Configure permission.

Recommendations For Jenkins versions 2.321 through 2.355, update to version 2.356 or later to address the vulnerability. For Jenkins LTS versions 2.332.1 through 2.332.3, update to version 2.332.4 or later to address the vulnerability. As a temporary workaround, consider restricting access to the HTML output generated for new symbol-based SVG icons until a patch is available.