logo

Database

Server side cross-site scripting In org.jenkins-ci.main:jenkins-core

Description

Jenkins Cross-site Scripting vulnerability ExpandableDetailsNote allows annotating build log content with additional information that can be revealed when interacted with.

Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the caption constructor parameter of ExpandableDetailsNote.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide caption parameter values.

As of publication, the related API is not used within Jenkins (core), and the Jenkins security team is not aware of any affected plugins. Jenkins 2.424, LTS 2.414.2 escapes caption constructor parameter values.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-434952. NVD-2023-434953. OSV-2023-434954. GCVE-2023-43495

References

1. https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-32452. http://www.openwall.com/lists/oss-security/2023/09/20/5

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.