{"id":"CVE-2022-34171","details":"In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the HTML output generated for new symbol-based SVG icons includes the 'title' attribute of 'l:ionicon' (until Jenkins 2.334) and 'alt' attribute of 'l:icon' (since Jenkins 2.335) without further escaping, resulting in a cross-site scripting (XSS) vulnerability.","aliases":["BIT-jenkins-2022-34171","GHSA-7f84-p6r5-jr6q"],"modified":"2026-04-10T04:49:01.688742Z","published":"2022-06-23T17:15:15.317Z","references":[{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2781"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/jenkins","events":[{"introduced":"9cf70b057886fb8191e434f23cd568d8c6f25c45"},{"last_affected":"d43d0b51dd18bca980f7d384ec4a353a2a66b818"},{"introduced":"0a508f3a097f5e36b768eba98474b505e53ffc34"},{"last_affected":"ac238ed0a627ac941513893c998c8f2bf018a649"}],"database_specific":{"versions":[{"introduced":"2.321"},{"last_affected":"2.355"},{"introduced":"2.332.1"},{"last_affected":"2.332.3"}]}}],"versions":["jenkins-2.321","jenkins-2.322","jenkins-2.323","jenkins-2.324","jenkins-2.325","jenkins-2.326","jenkins-2.327","jenkins-2.328","jenkins-2.329","jenkins-2.330","jenkins-2.331","jenkins-2.332","jenkins-2.332.1","jenkins-2.332.2","jenkins-2.332.2-rc","jenkins-2.332.2-rc-2","jenkins-2.332.3","jenkins-2.332.3-rc","jenkins-2.333","jenkins-2.334","jenkins-2.335","jenkins-2.336","jenkins-2.337","jenkins-2.338","jenkins-2.339","jenkins-2.340","jenkins-2.341","jenkins-2.342","jenkins-2.343","jenkins-2.344","jenkins-2.345","jenkins-2.346","jenkins-2.347","jenkins-2.348","jenkins-2.349","jenkins-2.350","jenkins-2.351","jenkins-2.352","jenkins-2.353","jenkins-2.354","jenkins-2.355"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-34171.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}