CVE-2022-41224

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.367 through 2.369

Description The issue results in a stored cross-site scripting (XSS) vulnerability due to the lack of escaping tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI. This vulnerability is exploitable by attackers able to control tooltips for this component. As of publication, the Jenkins security team is unaware of any exploitable help icon/tooltip in Jenkins core or plugins published by the Jenkins project. The vast majority of help icons use the l:help component instead of l:helpIcon. The few known instances of l:helpIcon do not have user-controllable tooltip contents.

Recommendations For Jenkins versions 2.367 through 2.369, consider disabling the l:helpIcon UI component until a patch is available to prevent potential exploitation of the stored cross-site scripting vulnerability. Restrict access to the Jenkins web UI to minimize the risk of exploitation. Avoid using user-controllable tooltips in the l:helpIcon component until the issue is resolved.