The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.
{
"unresolved_ranges": [
{
"vendor_product": "oracle:communications_cloud_native_core_automated_test_suite",
"cpes": [
"cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "1.9.0"
},
{
"last_affected": "1.9.0"
}
]
},
{
"vendor_product": "redhat:openshift_container_platform",
"cpes": [
"cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "3.11"
},
{
"last_affected": "3.11"
}
],
"source": "CPE_STRING"
}
]
}{
"cpe": [
"cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*",
"cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "2.164.1"
},
{
"last_affected": "2.171"
}
],
"source": "CPE_RANGE"
}