Lucene search

[email protected]NVD:CVE-2023-43499

HistorySep 20, 2023 - 5:15 p.m.

CVE-2023-43499

2023-09-2017:15:11

CWE-79

[email protected]

web.nvd.nist.gov

cve-2023-43499

jenkins build failure analyzer

stored cross-site scripting

failure causes

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

5.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.6%

JSON

Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier does not escape Failure Cause names in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or update Failure Causes.

Affected configurations

NVD

Node

jenkinsbuild_failure_analyzerRange<2.4.2jenkins

References

www.openwall.com/lists/oss-security/2023/09/20/5

www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3244