CVE-2022-34171: 
Java vulnerability analysis and mitigation

CVE-2022-34171 is a cross-site scripting (XSS) vulnerability affecting Jenkins versions 2.321 through LTS 2.332.3. The vulnerability was discovered and disclosed on June 22, 2022, as part of a broader security advisory. The issue specifically affects the HTML output generated for new symbol-based SVG icons, where the 'title' attribute of 'l:ionicon' and 'alt' attribute of 'l:icon' are included without proper escaping (Jenkins Advisory).

The vulnerability is classified as a cross-site scripting (XSS) issue with a High severity rating. The technical issue stems from the HTML output generated for new symbol-based SVG icons, which includes the title attribute of l:ionicon (until Jenkins 2.334) and alt attribute of l:icon (since Jenkins 2.335) without proper escaping. This vulnerability is part of a broader set of XSS issues tracked under SECURITY-2781, and is specifically identified as SECURITY-2761 (Jenkins Advisory).

The vulnerability allows attackers with Job/Configure permission to inject HTML and JavaScript into the Jenkins UI, potentially compromising the security of the Jenkins installation. This could lead to unauthorized access, data theft, or manipulation of Jenkins functionality (Jenkins Advisory).

The vulnerability has been fixed in Jenkins 2.356, LTS 2.332.4, and LTS 2.346.1. The fix involves properly escaping the title attribute of l:ionicon and alt attribute of l:icon in the generated HTML output. Users are strongly advised to upgrade to these versions or later to address the vulnerability (Jenkins Advisory).