GHSA-mhp7-3393-pfqr

GitHub Security Advisory

Cross-site Scripting vulnerability in Jenkins

✓ GitHub Reviewed HIGH Has CVE

Since Jenkins 2.340, symbol-based icons unescape previously escaped values of `tooltip` parameters.

This vulnerability is known to be exploitable by attackers with Job/Configure permission.

Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses this vulnerability. Symbol-based icons no longer unescape values of `tooltip` parameters.

Maven org.jenkins-ci.main:jenkins-core

Affected versions: 2.340 (fixed in 2.356)

Maven org.jenkins-ci.main:jenkins-core

Affected versions: 2.332 (fixed in 2.332.4)

CVE-2022-34172

GHSA ID

GHSA-mhp7-3393-pfqr

Published

June 24, 2022 12:00 AM

Last Modified

December 6, 2022 12:02 AM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.main:jenkins-core

GitHub Reviewed

✓ Yes

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.