Lucene search

GitHub Advisory DatabaseGHSA-262F-77Q5-RQV6

HistorySep 20, 2023 - 6:30 p.m.

Jenkins Build Failure Analyzer Plugin Cross-site Scripting vulnerability

2023-09-2018:30:21

CWE-79

GitHub Advisory Database

github.com

jenkins

build failure analyzer

cross-site scripting

vulnerability

software

build logs

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

38.6%

JSON

Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier does not escape Failure Cause names in build logs.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or update Failure Causes.

Build Failure Analyzer Plugin 2.4.2 escapes Failure Cause names in build logs.

Affected configurations

Vulners

Node

jenkinsbuild_failure_analyzerRange<2.4.2jenkins

CPENameOperatorVersion
com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzerlt2.4.2

CPE	Name	Operator	Version
	com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzer	lt	2.4.2

References

www.openwall.com/lists/oss-security/2023/09/20/5

github.com/advisories/GHSA-262f-77q5-rqv6

nvd.nist.gov/vuln/detail/CVE-2023-43499

www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3244