Lucene search

Veracode Vulnerability DatabaseVERACODE:41815

HistoryJul 28, 2023 - 2:45 a.m.

Cross-site Scripting (XSS)

2023-07-2802:45:44

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

jenkins-core

cross-site scripting

vulnerability

unescaped urls

abstractmarkuptext.java

malicious javascript

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

41.0%

JSON

jenkins-core is vulnerable to Cross-site Scripting (XSS). The vulnerability exists because the addHyperlink function of AbstractMarkupText.java which does not properly escape the URLs before being rendered, allowing an attacker to inject and execute malicious JavaScript.

CPENameOperatorVersion
jenkins corele2.415
jenkins corele2.401.2
org.jenkins-ci.main:jenkins-corele2.415
org.jenkins-ci.main:jenkins-corele2.401.2

Name	Operator	Version
jenkins core	le	2.415
jenkins core	le	2.401.2
org.jenkins-ci.main:jenkins-core	le	2.415
org.jenkins-ci.main:jenkins-core	le	2.401.2

References

www.openwall.com/lists/oss-security/2023/07/26/2

github.com/advisories/GHSA-69vw-3pcm-84rw

github.com/jenkinsci/jenkins/commit/1b9f1ccdbb7d00705b036d1332908fe52c2cd7ae

github.com/jenkinsci/jenkins/commit/b45dacfc279bb8aea79e9f914a8fcf9c096d02cd

www.jenkins.io/security/advisory/2023-07-26/#SECURITY-3188