CVE-2023-39151

HIGH8.0EPSS 1.6%

Jenkins Stored Cross-site Scripting vulnerability

Published: 7/26/2023Modified: 2/16/2024

Also known as:GHSA-69vw-3pcm-84rwBIT-jenkins-2023-39151

Description

Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks. Jenkins 2.415 and earlier, 2.414 and earlier, and LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents. Jenkins 2.416, 2.414.1, and LTS 2.401.3 encodes URLs of affected hyperlink annotations in build logs.

Affected packages (2)

Bitnami/jenkinsfrom 0, < 2.415.1
Maven/org.jenkins-ci.main:jenkins-core>= 2.402, < 2.414.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (6)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-39151
PATCHhttps://github.com/jenkinsci/jenkins
WEBhttps://github.com/CVEProject/cvelist/blob/975222d6e43b5b1296dbc8a67d03704a1d2554e8/2023/39xxx/CVE-2023-39151.json
WEBhttps://github.com/jenkinsci/jenkins/commit/1b9f1ccdbb7d00705b036d1332908fe52c2cd7ae
WEBhttps://www.jenkins.io/security/advisory/2023-07-26/#SECURITY-3188
WEBhttp://www.openwall.com/lists/oss-security/2023/07/26/2