Miggo Logo

CVE-2022-34173: Cross-site Scripting vulnerability in Jenkins

8

CVSS Score
3.1

Basic Information

EPSS Score
0.90563%
Published
6/24/2022
Updated
1/31/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven>= 2.340, < 2.3562.356

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped HTML rendering in the build button tooltip. Jenkins uses Jelly templates for UI rendering, and the advisory specifically mentions list view tooltips as the attack vector. The fix in 2.356 involved adding HTML escaping to this component. While exact function names aren't provided in public disclosures, the Jelly template responsible for list view rendering (index.jelly) would contain the vulnerable interpolation of the job display name into the tooltip attribute without escaping.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Sin** J*nkins *.***, t** tooltip o* t** *uil* *utton in list vi*ws supports *TML wit*out *s**pin* t** jo* *ispl*y n*m*. T*is vuln*r**ility is known to ** *xploit**l* *y *tt**k*rs wit* Jo*/*on*i*ur* p*rmission. J*nkins *.*** ***r*ss*s t*is vuln*r**i

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** *TML r*n**rin* in t** *uil* *utton tooltip. J*nkins us*s J*lly t*mpl*t*s *or UI r*n**rin*, *n* t** **visory sp**i*i**lly m*ntions list vi*w tooltips *s t** *tt**k v**tor. T** *ix in *.*** involv** ***in* *TML *s