GHSA-2wvv-phhw-qvmc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2wvv-phhw-qvmc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-2wvv-phhw-qvmc/GHSA-2wvv-phhw-qvmc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2wvv-phhw-qvmc
- Aliases
-
- CVE-2023-32977
- Published
- 2023-05-16T18:30:16Z
- Modified
- 2024-02-16T08:08:19.096458Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Jenkins Pipeline: Job Plugin vulnerable to stored Cross-site Scripting
- Details
-
Jenkins Pipeline: Job Plugin 1292.v27d8cc3e2602 and earlier does not escape the display name of the build that caused an earlier build to be aborted, when "Do not allow concurrent builds" is set.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately.
The Jenkins security team is not aware of any plugins that allow the exploitation of this vulnerability, as the build name must be set before the build starts. Pipeline: Job Plugin 1295.v395eb_7400005 escapes the display name of the build that caused an earlier build to be aborted.
- Database specific
{ "nvd_published_at": "2023-05-16T16:15:10Z", "cwe_ids": [ "CWE-79" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-05-17T02:58:11Z" }- References
Affected packages
Maven / org.jenkins-ci.plugins.workflow:workflow-job
Package
- Name
- org.jenkins-ci.plugins.workflow:workflow-job
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins.workflow/workflow-job
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1295.v395eb
Affected versions
0.*
0.1-beta-1
0.1-beta-2
0.1-beta-3
0.1-beta-4
0.1-beta-5
0.1-beta-6
0.1-beta-7
0.1-beta-8
1.*
1.0-beta-1
1.0
1.1
1.2
1.3
1.4
1.4.1
1.4.2
1.4.3-beta-1
1.4.3
1.5
1.6-alpha-1
1.6
1.7-alpha-1
1.7
1.8
1.9-beta-1
1.9
1.10-beta-1
1.10
1.10.1
1.11-beta-1
1.11-beta-2
1.11-beta-3
1.11-beta-4
1.11
1.12-beta-1
1.12-beta-2
1.12-beta-3
1.12
1.13
1.14-beta-1
1.14
1.14.1-beta-1
1.14.1
1.14.2
1.15-beta-1
1.15
2.*
2.0
2.1
2.2-beta-1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.11
2.11.1
2.11.2
2.12
2.12.1
2.12.2
2.13
2.14
2.14.1
2.15
2.16
2.17
2.17-durability-beta-1
2.17-durability-beta-2
2.18
2.19
2.20
2.21
2.22
2.23
2.24
2.25
2.26-beta-1
2.26
2.27
2.28
2.29
2.30
2.31
2.32
2.33
2.34
2.35
2.36
2.37
2.38
2.39
2.40
2.41
2.41.1
2.42
1145.*
1145.v7f2433caa07f
1156.*
1156.v7539182e7b_d5
1167.*
1167.v8fe861b_09ef9
1174.*
1174.vdcb_d054cf74a_
1174.1176.va_29023983d67
1180.*
1180.v04c4e75dce43
1181.*
1181.va_25d15548158
1182.*
1182.v60a_e6279b_579
1186.*
1186.v8def1a_5f3944
1189.*
1189.va_d37a_e9e4eda_
1203.*
1203.v7b_7023424efe
1206.*
1206.vc48d96b_930b_2
1207.*
1207.ve6191ff089f8
1207.1209.v69351208a_5a_7
1226.*
1226.v44f718dcfe1f
1229.*
1229.vb_7c2419a_b_558
1232.*
1232.v5a_4c994312f1
1236.*
1236.vc3a_d1602f439
1239.*
1239.v71b_b_a_124a_725
1246.*
1246.v6110f5347f1f
1249.*
1249.v7d974144cc14
1254.*
1254.v3f64639b_11dd
1268.*
1268.v6eb_e2ee1a_85a
1282.*
1282.ve6d865025906
1284.*
1284.v2fe8ed4573d4
1289.*
1289.vd1c337fd5354
1289.1291.vb_7c188e7e7df
1292.*
1292.v27d8cc3e2602