VulnerableCode Package Details - pkg:maven/org.jenkins-ci.main/jenkins-core@2.332.4

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-gua8-x599-fqad	Cross-site Scripting vulnerability in Jenkins Since Jenkins 2.320 and LTS 2.332.1, help icon tooltips no longer escape the feature name, effectively undoing the fix for [SECURITY-1955](https://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1955). This vulnerability is known to be exploitable by attackers with Job/Configure permission. Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses this vulnerability, the feature name in help icon tooltips is now escaped.	CVE-2022-34170 GHSA-62wf-24c4-8r76
VCID-j861-35t6-8qep	Cross-site Scripting vulnerability in Jenkins Since Jenkins 2.321 and LTS 2.332.1, the HTML output generated for new symbol-based SVG icons includes the `title` attribute of `l:ionicon` until Jenkins 2.334 and `alt` attribute of `l:icon` since Jenkins 2.335 without further escaping. This vulnerability is known to be exploitable by attackers with Job/Configure permission. Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses this vulnerability, the `title` attribute of `l:ionicon` (Jenkins LTS 2.332.4) and `alt` attribute of `l:icon` (Jenkins 2.356 and LTS 2.346.1) are escaped in the generated HTML output.	CVE-2022-34171 GHSA-7f84-p6r5-jr6q
VCID-uwfz-czcp-qyd9	Cross-site Scripting vulnerability in Jenkins Since Jenkins 2.340, symbol-based icons unescape previously escaped values of `tooltip` parameters. This vulnerability is known to be exploitable by attackers with Job/Configure permission. Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses this vulnerability. Symbol-based icons no longer unescape values of `tooltip` parameters.	CVE-2022-34172 GHSA-mhp7-3393-pfqr
VCID-vgg4-g95a-gkey	Observable timing discrepancy allows determining username validity in Jenkins In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. This allows attackers to determine the validity of attacker-specified usernames. Login attempts with an invalid username now validate a synthetic password to eliminate the timing discrepancy in Jenkins 2.356, LTS 2.332.4.	CVE-2022-34174 GHSA-9grj-j43m-mjqr

Vulnerability

Summary

Aliases

VCID-gua8-x599-fqad

Cross-site Scripting vulnerability in Jenkins Since Jenkins 2.320 and LTS 2.332.1, help icon tooltips no longer escape the feature name, effectively undoing the fix for [SECURITY-1955](https://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1955). This vulnerability is known to be exploitable by attackers with Job/Configure permission. Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses this vulnerability, the feature name in help icon tooltips is now escaped.

CVE-2022-34170
GHSA-62wf-24c4-8r76

VCID-j861-35t6-8qep

Cross-site Scripting vulnerability in Jenkins Since Jenkins 2.321 and LTS 2.332.1, the HTML output generated for new symbol-based SVG icons includes the `title` attribute of `l:ionicon` until Jenkins 2.334 and `alt` attribute of `l:icon` since Jenkins 2.335 without further escaping. This vulnerability is known to be exploitable by attackers with Job/Configure permission. Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses this vulnerability, the `title` attribute of `l:ionicon` (Jenkins LTS 2.332.4) and `alt` attribute of `l:icon` (Jenkins 2.356 and LTS 2.346.1) are escaped in the generated HTML output.

CVE-2022-34171
GHSA-7f84-p6r5-jr6q

VCID-uwfz-czcp-qyd9

Cross-site Scripting vulnerability in Jenkins Since Jenkins 2.340, symbol-based icons unescape previously escaped values of `tooltip` parameters. This vulnerability is known to be exploitable by attackers with Job/Configure permission. Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses this vulnerability. Symbol-based icons no longer unescape values of `tooltip` parameters.

CVE-2022-34172
GHSA-mhp7-3393-pfqr

VCID-vgg4-g95a-gkey

Observable timing discrepancy allows determining username validity in Jenkins In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. This allows attackers to determine the validity of attacker-specified usernames. Login attempts with an invalid username now validate a synthetic password to eliminate the timing discrepancy in Jenkins 2.356, LTS 2.332.4.

CVE-2022-34174
GHSA-9grj-j43m-mjqr

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T16:02:42.830293+00:00	GHSA Importer	Fixing	VCID-uwfz-czcp-qyd9	https://github.com/advisories/GHSA-mhp7-3393-pfqr	38.0.0
2026-04-01T16:02:42.804437+00:00	GHSA Importer	Fixing	VCID-gua8-x599-fqad	https://github.com/advisories/GHSA-62wf-24c4-8r76	38.0.0
2026-04-01T16:02:42.777883+00:00	GHSA Importer	Fixing	VCID-j861-35t6-8qep	https://github.com/advisories/GHSA-7f84-p6r5-jr6q	38.0.0
2026-04-01T16:02:41.981207+00:00	GHSA Importer	Fixing	VCID-vgg4-g95a-gkey	https://github.com/advisories/GHSA-9grj-j43m-mjqr	38.0.0
2026-04-01T13:07:35.815897+00:00	GithubOSV Importer	Fixing	VCID-gua8-x599-fqad	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-62wf-24c4-8r76/GHSA-62wf-24c4-8r76.json	38.0.0
2026-04-01T13:07:32.320024+00:00	GithubOSV Importer	Fixing	VCID-uwfz-czcp-qyd9	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-mhp7-3393-pfqr/GHSA-mhp7-3393-pfqr.json	38.0.0
2026-04-01T13:07:28.646549+00:00	GithubOSV Importer	Fixing	VCID-vgg4-g95a-gkey	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-9grj-j43m-mjqr/GHSA-9grj-j43m-mjqr.json	38.0.0
2026-04-01T13:07:26.992811+00:00	GithubOSV Importer	Fixing	VCID-j861-35t6-8qep	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-7f84-p6r5-jr6q/GHSA-7f84-p6r5-jr6q.json	38.0.0