Lucene search

GitHub Advisory DatabaseGHSA-69VW-3PCM-84RW

HistoryJul 26, 2023 - 3:30 p.m.

Jenkins Stored Cross-site Scripting vulnerability

2023-07-2615:30:57

CWE-79

GitHub Advisory Database

github.com

jenkins

cross-site scripting

vulnerability

urls

build logs

lts 2.401.3

2.414.1

2.416

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

41.0%

JSON

Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks. Jenkins 2.415 and earlier, 2.414 and earlier, and LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents. Jenkins 2.416, 2.414.1, and LTS 2.401.3 encodes URLs of affected hyperlink annotations in build logs.

Affected configurations

Vulners

Node

org.jenkins-ci.main\Matchjenkins-core

org.jenkins-ci.main\Matchjenkins-core2.415