Alpine: multiple jenkins packages: security update to 2.346.2-r0

high Tenable Cloud Security Plugin ID 405046

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the
help icon does not escape the feature name that is part of its tooltip, effectively undoing the fix for
SECURITY-1955, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with
Job/Configure permission. (CVE-2022-34170)

- In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 through LTS 2.332.3 (both inclusive) the
HTML output generated for new symbol-based SVG icons includes the 'title' attribute of 'l:ionicon' (until
Jenkins 2.334) and 'alt' attribute of 'l:icon' (since Jenkins 2.335) without further escaping, resulting
in a cross-site scripting (XSS) vulnerability. (CVE-2022-34171)

- In Jenkins 2.340 through 2.355 (both inclusive) symbol-based icons unescape previously escaped values of
'tooltip' parameters, resulting in a cross-site scripting (XSS) vulnerability. (CVE-2022-34172)

- In Jenkins 2.340 through 2.355 (both inclusive) the tooltip of the build button in list views supports
HTML without escaping the job display name, resulting in a cross-site scripting (XSS) vulnerability
exploitable by attackers with Job/Configure permission. (CVE-2022-34173)

- In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form
allows distinguishing between login attempts with an invalid username, and login attempts with a valid
username and wrong password, when using the Jenkins user database security realm. (CVE-2022-34174)

See Also

https://security.alpinelinux.org/vuln/CVE-2022-34170

https://security.alpinelinux.org/vuln/CVE-2022-34171

https://security.alpinelinux.org/vuln/CVE-2022-34172

https://security.alpinelinux.org/vuln/CVE-2022-34173

https://security.alpinelinux.org/vuln/CVE-2022-34174

Plugin Details

Severity: High

ID: 405046

Version: Revision 1.29

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2022-34174

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 6/22/2022

Reference Information

CVE: CVE-2022-34170, CVE-2022-34171, CVE-2022-34172, CVE-2022-34173, CVE-2022-34174