Lucene search

K
osvGoogleOSV:GHSA-62WF-24C4-8R76
HistoryJun 24, 2022 - 12:00 a.m.

Cross-site Scripting vulnerability in Jenkins

2022-06-2400:00:31
Google
osv.dev
11

0.001 Low

EPSS

Percentile

22.0%

Since Jenkins 2.320 and LTS 2.332.1, help icon tooltips no longer escape the feature name, effectively undoing the fix for SECURITY-1955.

This vulnerability is known to be exploitable by attackers with Job/Configure permission.

Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses this vulnerability, the feature name in help icon tooltips is now escaped.