Lucene search

GitHub Advisory DatabaseGHSA-MV77-FJ63-Q5W8

HistoryOct 25, 2023 - 6:32 p.m.

Stored XSS vulnerability in Jenkins GitHub Plugin

2023-10-2518:32:25

CWE-79

GitHub Advisory Database

github.com

jenkins

github plugin

xss

vulnerability

stored

cross-site scripting

exploit

permission

software

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

38.8%

JSON

Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

GitHub Plugin 1.37.3.1 escapes GitHub project URL on the build page when showing changes.

Affected configurations

Vulners

Node

com.coravy.hudson.plugins.github\Matchgithub

CPENameOperatorVersion
com.coravy.hudson.plugins.github:githublt1.37.3.1

CPE	Name	Operator	Version
	com.coravy.hudson.plugins.github:github	lt	1.37.3.1

References

www.openwall.com/lists/oss-security/2023/10/25/2

github.com/advisories/GHSA-mv77-fj63-q5w8

github.com/jenkinsci/github-plugin/commit/9e09678c445613521c45acce0ce525160747ff3e

nvd.nist.gov/vuln/detail/CVE-2023-46650

www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3246