Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05OGdxLTZoeGctNTJyNs4AAnOI
XSS vulnerability in Jenkins notification bar
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents (typically shown after form submissions via Apply button).
This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to influence notification bar contents.
Jenkins 2.275, LTS 2.263.2 escapes the content shown in notification bars.
Permalink: https://github.com/advisories/GHSA-98gq-6hxg-52r6JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05OGdxLTZoeGctNTJyNs4AAnOI
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-98gq-6hxg-52r6, CVE-2021-21603
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-21603
- https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1889
- https://github.com/jenkinsci/jenkins/commit/f5d98421604e44f398e7de9d222b191a705608af
- https://github.com/advisories/GHSA-98gq-6hxg-52r6
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: >= 2.263.2, <= 2.274, < 2.263.1Fixed in: 2.275, 2.275