CVE-2023-40350 – org.jenkins-ci.plugins:docker-swarm

Package

Manager: maven
Name: org.jenkins-ci.plugins:docker-swarm
Vulnerable Version: >=0 <=1.11

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0219 pctl0.83756

Details

Jenkins Docker Swarm Plugin stored cross-site scripting vulnerability Jenkins Docker Swarm Plugin processes Docker responses to generate the Docker Swarm Dashboard view. Docker Swarm Plugin 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control responses from Docker. As of publication of this advisory, there is no fix.

Metadata

Created: 2023-08-16T15:30:18Z
Modified: 2023-08-16T21:05:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-v9rw-hjr3-426h/GHSA-v9rw-hjr3-426h.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-v9rw-hjr3-426h
Finding: F425
Auto approve: 1