{"api_version":"1","generated_at":"2026-04-23T05:59:09+00:00","cve":"CVE-2022-34170","urls":{"html":"https://cve.report/CVE-2022-34170","api":"https://cve.report/api/cve/CVE-2022-34170.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-34170","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-34170"},"summary":{"title":"CVE-2022-34170","description":"In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.","state":"PUBLIC","assigner":"jenkinsci-cert@googlegroups.com","published_at":"2022-06-23 17:15:00","updated_at":"2023-11-03 02:52:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2781","name":"https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2781","refsource":"CONFIRM","tags":[],"title":"Jenkins Security Advisory 2022-06-22","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-34170","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-34170","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"34170","vulnerable":"1","versionEndIncluding":"2.332.3","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"jenkins","cpe5":"jenkins","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"34170","vulnerable":"1","versionEndIncluding":"2.355","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"jenkins","cpe5":"jenkins","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-34170","qid":"502482","title":"Alpine Linux Security Update for jenkins"},{"cve":"CVE-2022-34170","qid":"690884","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for jenkins (25be46f0-f25d-11ec-b62a-00e081b7aa2d)"},{"cve":"CVE-2022-34170","qid":"730532","title":"Jenkins Multiple Cross-Site Scripting (XSS) Vulnerabilities (Jenkins Security Advisory 2022-06-22)"},{"cve":"CVE-2022-34170","qid":"730533","title":"Jenkins Multiple Cross-Site Scripting (XSS) Vulnerabilities"},{"cve":"CVE-2022-34170","qid":"730534","title":"Jenkins Multiple Cross-Site Scripting (XSS) Vulnerabilities"},{"cve":"CVE-2022-34170","qid":"730535","title":"Jenkins Multiple Cross-Site Scripting (XSS) Vulnerabilities"},{"cve":"CVE-2022-34170","qid":"730540","title":"Jenkins Multiple Cross-Site Scripting (XSS) Vulnerabilities"},{"cve":"CVE-2022-34170","qid":"730545","title":"Jenkins Multiple Cross-Site Scripting (XSS) Vulnerabilities"},{"cve":"CVE-2022-34170","qid":"730546","title":"Jenkins Multiple Cross-Site Scripting (XSS) Vulnerabilities"},{"cve":"CVE-2022-34170","qid":"730547","title":"Jenkins Multiple Cross-Site Scripting (XSS) Vulnerabilities"},{"cve":"CVE-2022-34170","qid":"730549","title":"Jenkins Multiple Cross-Site Scripting (XSS) Vulnerabilities"},{"cve":"CVE-2022-34170","qid":"730554","title":"Jenkins Multiple Cross-Site Scripting (XSS) Vulnerabilities"},{"cve":"CVE-2022-34170","qid":"730555","title":"Jenkins Multiple Cross-Site Scripting (XSS) Vulnerabilities"},{"cve":"CVE-2022-34170","qid":"730557","title":"Jenkins Multiple Cross-Site Scripting (XSS) Vulnerabilities"},{"cve":"CVE-2022-34170","qid":"730558","title":"Jenkins Multiple Cross-Site Scripting (XSS) Vulnerabilities"},{"cve":"CVE-2022-34170","qid":"730559","title":"Jenkins Multiple Cross-Site Scripting (XSS) Vulnerabilities"},{"cve":"CVE-2022-34170","qid":"730560","title":"Jenkins Multiple Cross-Site Scripting (XSS) Vulnerabilities"},{"cve":"CVE-2022-34170","qid":"730561","title":"Jenkins Multiple Cross-Site Scripting (XSS) Vulnerabilities"},{"cve":"CVE-2022-34170","qid":"730562","title":"Jenkins Multiple Cross-Site Scripting (XSS) Vulnerabilities"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-34170","ASSIGNER":"jenkinsci-cert@googlegroups.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Jenkins project","product":{"product_data":[{"product_name":"Jenkins","version":{"version_data":[{"version_affected":"<","version_name":"2.320","version_value":"unspecified"},{"version_affected":"<=","version_name":"unspecified","version_value":"2.355"},{"version_affected":"<","version_name":"LTS 2.332.1","version_value":"unspecified"}]}}]}}]}},"references":{"reference_data":[{"url":"https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2781","refsource":"MISC","name":"https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2781"}]}},"nvd":{"publishedDate":"2022-06-23 17:15:00","lastModifiedDate":"2023-11-03 02:52:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.3,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*","versionStartIncluding":"2.332.1","versionEndIncluding":"2.332.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*","versionStartIncluding":"2.320","versionEndIncluding":"2.355","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}