GHSA-5j46-5hwq-gwh7

Source

https://github.com/advisories/GHSA-5j46-5hwq-gwh7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-5j46-5hwq-gwh7/GHSA-5j46-5hwq-gwh7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5j46-5hwq-gwh7

Aliases

Published

2023-09-20T18:30:21Z

Modified

2024-02-16T08:03:13.086676Z

Severity

8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Jenkins Cross-site Scripting vulnerability

Details

ExpandableDetailsNote allows annotating build log content with additional information that can be revealed when interacted with.

Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the caption constructor parameter of ExpandableDetailsNote.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide caption parameter values.

As of publication, the related API is not used within Jenkins (core), and the Jenkins security team is not aware of any affected plugins. Jenkins 2.424, LTS 2.414.2 escapes caption constructor parameter values.

Database specific

{
    "nvd_published_at": "2023-09-20T17:15:11Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-21T17:21:08Z"
}

References

Affected packages

Maven / org.jenkins-ci.main:jenkins-core

Package

Name: org.jenkins-ci.main:jenkins-core; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.main/jenkins-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.50

Fixed

2.414.2

Affected versions

2.*

2.50

2.51

2.52

2.53

2.54

2.55

2.56

2.57

2.58

2.59

2.60

2.60.1

2.60.2

2.60.3

2.61

2.62

2.63

2.64

2.65

2.66

2.67

2.68

2.69

2.70

2.71

2.72

2.73

2.73.1

2.73.2

2.73.3

2.74

2.75

2.76

2.77

2.78

2.79

2.80

2.81

2.82

2.83

2.84

2.85

2.86

2.87

2.88

2.89

2.89.1

2.89.2

2.89.3

2.89.4

2.90

2.91

2.92

2.93

2.94

2.95

2.96

2.97

2.98

2.99

2.100

2.101

2.102

2.103

2.104

2.105

2.106

2.107

2.107.1

2.107.2

2.107.3

2.108

2.109

2.110

2.111

2.112

2.113

2.114

2.115

2.116

2.117

2.118

2.119

2.120

2.121

2.121.1

2.121.2

2.121.3

2.122

2.123

2.124

2.125

2.126

2.127

2.128

2.129

2.130

2.131

2.132

2.133

2.134

2.135

2.136

2.137

2.138

2.138.1

2.138.2

2.138.3

2.138.4

2.140

2.141

2.142

2.143

2.144

2.145

2.146

2.147

2.148

2.149

2.150

2.150.1

2.150.2

2.150.3

2.151

2.152

2.153

2.154

2.155

2.156

2.157

2.158

2.159

2.160

2.161

2.162

2.163

2.164

2.164.1

2.164.2

2.164.3

2.165

2.166

2.167

2.168

2.169

2.170

2.171

2.172

2.173

2.174

2.175

2.176

2.176.1

2.176.2

2.176.3

2.176.4

2.177

2.178

2.179

2.180

2.181

2.182

2.183

2.184

2.185

2.186

2.187

2.189

2.190

2.190.1

2.190.2

2.190.3

2.191

2.192

2.193

2.194

2.195

2.196

2.197

2.198

2.199

2.200

2.201

2.202

2.203

2.204

2.204.1

2.204.2

2.204.3

2.204.4

2.204.5

2.204.6

2.205

2.206

2.207

2.208

2.209

2.210

2.211

2.212

2.213

2.214

2.215

2.216

2.217

2.218

2.219

2.220

2.221

2.222

2.222.1

2.222.3

2.222.4

2.223

2.224

2.225

2.226

2.227

2.228

2.229

2.230

2.231

2.232

2.233

2.234

2.235

2.235.1

2.235.2

2.235.3

2.235.4

2.235.5

2.236

2.237

2.238

2.239

2.240

2.241

2.242

2.243

2.244

2.245

2.246

2.247

2.248

2.249

2.249.1

2.249.2

2.249.3

2.250

2.251

2.252

2.253

2.254

2.255

2.256

2.257

2.258

2.259

2.260

2.261

2.262

2.263

2.263.1

2.263.2

2.263.3

2.263.4

2.264

2.265

2.266

2.267

2.268

2.269

2.270

2.271

2.272

2.273

2.274

2.275

2.276

2.277

2.277.1

2.277.2

2.277.3

2.277.4

2.278

2.279

2.280

2.281

2.282

2.283

2.284

2.285

2.286

2.287

2.288

2.289

2.289.1

2.289.2

2.289.3

2.290

2.291

2.292

2.293

2.294

2.295

2.296

2.297

2.298

2.299

2.300

2.301

2.302

2.303

2.303.1

2.303.2

2.303.3

2.304

2.305

2.306

2.307

2.308

2.309

2.311

2.312

2.313

2.314

2.315

2.316

2.317

2.318

2.319

2.319.1

2.319.2

2.319.3

2.320

2.321

2.322

2.323

2.324

2.325

2.326

2.327

2.328

2.329

2.330

2.331

2.332

2.332.1

2.332.2

2.332.3

2.332.4

2.333

2.334

2.335

2.336

2.337

2.338

2.339

2.340

2.341

2.342

2.343

2.344

2.345

2.346

2.346.1

2.346.2

2.346.3

2.347

2.348

2.349

2.350

2.354

2.355

2.356

2.357

2.358

2.359

2.360

2.361

2.361.1

2.361.2

2.361.3

2.361.4

2.362

2.363

2.364

2.365

2.366

2.367

2.368

2.369

2.370

2.371

2.372

2.373

2.374

2.375

2.375.1

2.375.2

2.375.3

2.375.4

2.376

2.377

2.378

2.379

2.380

2.381

2.382

2.383

2.384

2.385

2.386

2.387

2.387.1

2.387.2

2.387.3

2.388

2.389

2.390

2.391

2.392

2.393

2.394

2.395

2.396

2.397

2.398

2.399

2.400

2.401

2.401.1

2.401.2

2.401.3

2.402

2.403

2.404

2.405

2.406

2.407

2.409

2.410

2.411

2.412

2.413

2.414

2.414.1

Maven / org.jenkins-ci.main:jenkins-core

Package

Name: org.jenkins-ci.main:jenkins-core; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.main/jenkins-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.415

Fixed

2.424

Affected versions

2.*

2.415

2.416

2.417

2.418

2.419

2.420

2.421

2.422

2.423