Lucene search

GoogleOSV:GHSA-MV77-FJ63-Q5W8

HistoryOct 25, 2023 - 6:32 p.m.

Stored XSS vulnerability in Jenkins GitHub Plugin

2023-10-2518:32:25

Google

osv.dev

jenkins

github

plugin

vulnerability

xss

exploitable

permission

software

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

5.7

Confidence

High

EPSS

0.001

Percentile

41.4%

JSON

Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

GitHub Plugin 1.37.3.1 escapes GitHub project URL on the build page when showing changes.

References

www.openwall.com/lists/oss-security/2023/10/25/2

github.com/jenkinsci/github-plugin

github.com/jenkinsci/github-plugin/commit/9e09678c445613521c45acce0ce525160747ff3e

nvd.nist.gov/vuln/detail/CVE-2023-46650

www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3246