Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-uwfz-czcp-qyd9
Vulnerability ID VCID-uwfz-czcp-qyd9
Aliases CVE-2022-34172
GHSA-mhp7-3393-pfqr
Summary Cross-site Scripting vulnerability in Jenkins Since Jenkins 2.340, symbol-based icons unescape previously escaped values of `tooltip` parameters. This vulnerability is known to be exploitable by attackers with Job/Configure permission. Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses this vulnerability. Symbol-based icons no longer unescape values of `tooltip` parameters.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 6.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-34172.json
epss 0.04819 https://api.first.org/data/v1/epss?cve=CVE-2022-34172
epss 0.04819 https://api.first.org/data/v1/epss?cve=CVE-2022-34172
epss 0.04819 https://api.first.org/data/v1/epss?cve=CVE-2022-34172
epss 0.04819 https://api.first.org/data/v1/epss?cve=CVE-2022-34172
epss 0.04819 https://api.first.org/data/v1/epss?cve=CVE-2022-34172
epss 0.06403 https://api.first.org/data/v1/epss?cve=CVE-2022-34172
epss 0.06403 https://api.first.org/data/v1/epss?cve=CVE-2022-34172
epss 0.06403 https://api.first.org/data/v1/epss?cve=CVE-2022-34172
epss 0.06403 https://api.first.org/data/v1/epss?cve=CVE-2022-34172
epss 0.06403 https://api.first.org/data/v1/epss?cve=CVE-2022-34172
epss 0.06403 https://api.first.org/data/v1/epss?cve=CVE-2022-34172
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-mhp7-3393-pfqr
cvssv3.1 8.0 https://github.com/jenkinsci/jenkins
generic_textual HIGH https://github.com/jenkinsci/jenkins
cvssv3.1 8.0 https://nvd.nist.gov/vuln/detail/CVE-2022-34172
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-34172
cvssv3.1 8.0 https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2781
generic_textual HIGH https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2781
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-34172.json
https://api.first.org/data/v1/epss?cve=CVE-2022-34172
https://github.com/jenkinsci/jenkins
https://nvd.nist.gov/vuln/detail/CVE-2022-34172
https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2781
2119650 https://bugzilla.redhat.com/show_bug.cgi?id=2119650
GHSA-mhp7-3393-pfqr https://github.com/advisories/GHSA-mhp7-3393-pfqr
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-34172.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/jenkinsci/jenkins
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-34172
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2781
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.89506
EPSS Score 0.04819
Published At April 13, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:07:32.299147+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-mhp7-3393-pfqr/GHSA-mhp7-3393-pfqr.json 38.0.0