Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tdjc3LWZqNjMtcTV3OM4AA2q7
Stored XSS vulnerability in Jenkins GitHub Plugin
Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
GitHub Plugin 1.37.3.1 escapes GitHub project URL on the build page when showing changes.
Permalink: https://github.com/advisories/GHSA-mv77-fj63-q5w8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tdjc3LWZqNjMtcTV3OM4AA2q7
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00075
EPSS Percentile: 0.33529
Identifiers: GHSA-mv77-fj63-q5w8, CVE-2023-46650
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-46650
- https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3246
- http://www.openwall.com/lists/oss-security/2023/10/25/2
- https://github.com/jenkinsci/github-plugin/commit/9e09678c445613521c45acce0ce525160747ff3e
- https://github.com/advisories/GHSA-mv77-fj63-q5w8
Blast Radius: 19.7
Affected Packages
maven:com.coravy.hudson.plugins.github:github
Dependent packages: 0Dependent repositories: 288
Downloads:
Affected Version Ranges: < 1.37.3.1
Fixed in: 1.37.3.1
All affected versions:
All unaffected versions: