CVE-2022-34173: 
Java vulnerability analysis and mitigation

In Jenkins 2.340 through 2.355 (both inclusive), a cross-site scripting (XSS) vulnerability was discovered where the tooltip of the build button in list views supports HTML without escaping the job display name (CVE-2022-34173). This vulnerability was disclosed on June 22, 2022, and affects Jenkins core installations (Jenkins Advisory).

The vulnerability is classified as a cross-site scripting (XSS) issue with a CVSS v3.1 base score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability stems from insufficient input sanitization where the tooltip of the build button in list views accepts HTML content without proper escaping of the job display name (NVD).

This vulnerability allows attackers with Job/Configure permission to inject HTML and JavaScript into the Jenkins UI through the job display name, which could lead to execution of malicious scripts in the context of other users' browsers when they view the affected list views (Jenkins Advisory).

The vulnerability was fixed in Jenkins 2.356 and LTS 2.346.1, where the tooltip of the build button in list views is now properly escaped. Users should upgrade to these or later versions to address the vulnerability. No Jenkins LTS release was affected by this vulnerability as it was not present in Jenkins 2.332.x and was fixed in the 2.346.x line before 2.346.1 (Jenkins Advisory).