CVE-2023-39151 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=2.402 <2.414.1 || >=0 <2.401.3 || =2.415 || >=2.415 <2.416

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00811 pctl0.73353

Details

Jenkins Stored Cross-site Scripting vulnerability Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks. Jenkins 2.415 and earlier, 2.414 and earlier, and LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents. Jenkins 2.416, 2.414.1, and LTS 2.401.3 encodes URLs of affected hyperlink annotations in build logs.

Metadata

Created: 2023-07-26T15:30:57Z
Modified: 2023-08-21T17:22:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-69vw-3pcm-84rw/GHSA-69vw-3pcm-84rw.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-69vw-3pcm-84rw
Finding: F425
Auto approve: 1