Lucene search

GitHub Advisory DatabaseGHSA-V9RW-HJR3-426H

HistoryAug 16, 2023 - 3:30 p.m.

Jenkins Docker Swarm Plugin stored cross-site scripting vulnerability

2023-08-1615:30:18

CWE-79

GitHub Advisory Database

github.com

jenkins

docker swarm

xss

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

32.9%

JSON

Jenkins Docker Swarm Plugin processes Docker responses to generate the Docker Swarm Dashboard view.

Docker Swarm Plugin 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control responses from Docker.

As of publication of this advisory, there is no fix.

Affected configurations

Vulners

Node

org.jenkins-ci.pluginsdocker-swarmRange≤1.11

VendorProductVersionCPE
org.jenkins-ci.pluginsdocker-swarm*cpe:2.3:a:org.jenkins-ci.plugins:docker-swarm:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.jenkins-ci.plugins	docker-swarm	*	cpe:2.3:a:org.jenkins-ci.plugins:docker-swarm::::::::

References

www.openwall.com/lists/oss-security/2023/08/16/3

github.com/advisories/GHSA-v9rw-hjr3-426h

nvd.nist.gov/vuln/detail/CVE-2023-40350

www.jenkins.io/security/advisory/2023-08-16/#SECURITY-2811