Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01ajQ2LTVod3EtZ3doN84AA1-J
Jenkins Cross-site Scripting vulnerability
ExpandableDetailsNote allows annotating build log content with additional information that can be revealed when interacted with.
Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the caption constructor parameter of ExpandableDetailsNote.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide caption parameter values.
As of publication, the related API is not used within Jenkins (core), and the Jenkins security team is not aware of any affected plugins.
Jenkins 2.424, LTS 2.414.2 escapes caption constructor parameter values.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01ajQ2LTVod3EtZ3doN84AA1-J
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 2 months ago
Updated: 17 days ago
CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-5j46-5hwq-gwh7, CVE-2023-43495
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-43495
- https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3245
- http://www.openwall.com/lists/oss-security/2023/09/20/5
- https://github.com/advisories/GHSA-5j46-5hwq-gwh7
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Versions: >= 2.415, < 2.424, >= 2.50, < 2.414.2Fixed in: 2.424, 2.414.2