CVE-2021-21603 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=0 <2.275 || >=2.263.2 <2.275

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00302 pctl0.52989

Details

XSS vulnerability in Jenkins notification bar Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents (typically shown after form submissions via Apply button). This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to influence notification bar contents. Jenkins 2.275, LTS 2.263.2 escapes the content shown in notification bars.

Metadata

Created: 2022-05-24T17:39:12Z
Modified: 2023-10-27T13:05:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-98gq-6hxg-52r6/GHSA-98gq-6hxg-52r6.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-98gq-6hxg-52r6
Finding: F008
Auto approve: 1