Cross-site Scripting vulnerability in Jenkins
High severity
GitHub Reviewed
Published
Jun 24, 2022
to the GitHub Advisory Database
•
Updated Jan 31, 2023
Package
Affected versions
>= 2.350, < 2.356
>= 2.346, < 2.346.1
< 2.332.4
Patched versions
2.356
2.346.1
2.332.4
Description
Published by the National Vulnerability Database
Jun 23, 2022
Published to the GitHub Advisory Database
Jun 24, 2022
Reviewed
Dec 6, 2022
Last updated
Jan 31, 2023
Since Jenkins 2.321 and LTS 2.332.1, the HTML output generated for new symbol-based SVG icons includes the
title
attribute ofl:ionicon
until Jenkins 2.334 andalt
attribute ofl:icon
since Jenkins 2.335 without further escaping.This vulnerability is known to be exploitable by attackers with Job/Configure permission.
Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses this vulnerability, the
title
attribute ofl:ionicon
(Jenkins LTS 2.332.4) andalt
attribute ofl:icon
(Jenkins 2.356 and LTS 2.346.1) are escaped in the generated HTML output.References