CVE-2023-39151

HIGH8.0EPSS 1.6%

Jenkins Stored Cross-site Scripting vulnerability

發布日:2023/7/26修改日:2024/2/16

也稱為:GHSA-69vw-3pcm-84rwBIT-jenkins-2023-39151

描述

Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks. Jenkins 2.415 and earlier, 2.414 and earlier, and LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents. Jenkins 2.416, 2.414.1, and LTS 2.401.3 encodes URLs of affected hyperlink annotations in build logs.

受影響套件(2)

Bitnami/jenkinsfrom 0, < 2.415.1
Maven/org.jenkins-ci.main:jenkins-core>= 2.402, < 2.414.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

參考連結(6)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-39151
PATCHhttps://github.com/jenkinsci/jenkins
WEBhttps://github.com/CVEProject/cvelist/blob/975222d6e43b5b1296dbc8a67d03704a1d2554e8/2023/39xxx/CVE-2023-39151.json
WEBhttps://github.com/jenkinsci/jenkins/commit/1b9f1ccdbb7d00705b036d1332908fe52c2cd7ae
WEBhttps://www.jenkins.io/security/advisory/2023-07-26/#SECURITY-3188
WEBhttp://www.openwall.com/lists/oss-security/2023/07/26/2