CVE-2023-32977
Jenkins Pipeline: Job Plugin vulnerable to stored Cross-site Scripting
描述
Jenkins Pipeline: Job Plugin 1292.v27d8cc3e2602 and earlier does not escape the display name of the build that caused an earlier build to be aborted, when "Do not allow concurrent builds" is set. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately. The Jenkins security team is not aware of any plugins that allow the exploitation of this vulnerability, as the build name must be set before the build starts. Pipeline: Job Plugin 1295.v395eb_7400005 escapes the display name of the build that caused an earlier build to be aborted.
如何修補 CVE-2023-32977
要修補 CVE-2023-32977,請將受影響套件升級到下列已修補版本。
- —升級至 1295.v395eb 或更新版本
CVE-2023-32977 正在被利用嗎?
低 — EPSS 為 4.3%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 1295.v395eb
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |