XSS vulnerability in Jenkins Job Configuration History Plugin

2023-09-0615:30:26

Google

osv.dev

jenkins

configuration

history

plugin

timestamp

xss

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

5.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.6%

JSON

Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not property sanitize or escape the timestamp value from history entries when rendering a history entry on the history view, resulting in a stored cross-site scripting (XSS) vulnerability.

CPENameOperatorVersion
org.jenkins-ci.plugins:jobconfighistoryeq1183.v6e2785ff75e0
org.jenkins-ci.plugins:jobconfighistoryeq1207.vd28a_54732f92
org.jenkins-ci.plugins:jobconfighistoryeq1163.ve82c7c6e60a_3
org.jenkins-ci.plugins:jobconfighistoryeq1.12
org.jenkins-ci.plugins:jobconfighistoryeq2.18.3
org.jenkins-ci.plugins:jobconfighistoryeq2.29-rc1073.41ef89cf4e15
org.jenkins-ci.plugins:jobconfighistoryeq2.6
org.jenkins-ci.plugins:jobconfighistoryeq2.9
org.jenkins-ci.plugins:jobconfighistoryeq1165.v8cc9fd1f4597
org.jenkins-ci.plugins:jobconfighistoryeq2.18.1

Name	Operator	Version
org.jenkins-ci.plugins:jobconfighistory	eq	1183.v6e2785ff75e0
org.jenkins-ci.plugins:jobconfighistory	eq	1207.vd28a_54732f92
org.jenkins-ci.plugins:jobconfighistory	eq	1163.ve82c7c6e60a_3
org.jenkins-ci.plugins:jobconfighistory	eq	1.12
org.jenkins-ci.plugins:jobconfighistory	eq	2.18.3
org.jenkins-ci.plugins:jobconfighistory	eq	2.29-rc1073.41ef89cf4e15
org.jenkins-ci.plugins:jobconfighistory	eq	2.6
org.jenkins-ci.plugins:jobconfighistory	eq	2.9
org.jenkins-ci.plugins:jobconfighistory	eq	1165.v8cc9fd1f4597
org.jenkins-ci.plugins:jobconfighistory	eq	2.18.1