CVE-2022-34172

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.340 through 2.355

Description The issue arises from symbol-based icons unescaping previously escaped values of tooltip parameters, resulting in a cross-site scripting (XSS) vulnerability. This vulnerability is known to be exploitable by attackers with Job/Configure permission.

Recommendations For versions 2.340 through 2.355, update to Jenkins 2.356 or apply one of the following LTS updates: 2.332.4 or 2.346.1, as these versions address the vulnerability by ensuring symbol-based icons no longer unescape values of tooltip parameters. As a temporary workaround, consider restricting access to symbol-based icons or limiting the ability to configure tooltip parameters until the update can be applied.