Lucene search

GitHub Advisory DatabaseGHSA-5JXP-F5RR-G6JC

HistorySep 06, 2023 - 3:30 p.m.

XSS vulnerability in Jenkins Job Configuration History Plugin

2023-09-0615:30:26

CWE-79

GitHub Advisory Database

github.com

jenkins

configuration history plugin

xss

vulnerability

sanitize

escape

timestamp

history entries

rendering

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

5.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.6%

JSON

Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not property sanitize or escape the timestamp value from history entries when rendering a history entry on the history view, resulting in a stored cross-site scripting (XSS) vulnerability.

Affected configurations

Vulners

Node

org.jenkinsci.plugins\Matchjobconfighistory

CPENameOperatorVersion
org.jenkins-ci.plugins:jobconfighistoryle1227.v7a

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:jobconfighistory	le	1227.v7a

References

www.openwall.com/lists/oss-security/2023/09/06/9

github.com/advisories/GHSA-5jxp-f5rr-g6jc

nvd.nist.gov/vuln/detail/CVE-2023-41931

www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3233