Stored Cross-Site Scripting Vulnerability in Jenkins Pipeline Build Step Plugin
CVE-2023-25762

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Pipeline: Build Step Plugin
Vendor: CVE Published:; 15 February 2023

Summary

The Pipeline Build Step Plugin for Jenkins versions up to 2.18 contains a vulnerability that allows for stored cross-site scripting (XSS). This occurs because job names are not properly escaped in a JavaScript expression utilized within the Pipeline Snippet Generator. Attackers with control over job names can exploit this flaw, potentially leading to unauthorized script execution in the context of other users' sessions.

Affected Version(s)

Jenkins Pipeline: Build Step Plugin <= 2.18

References

https://www.jenkins.io/security/advisory/2023-02-15/#SECU...

http://www.openwall.com/lists/oss-security/2023/02/15/4

mailing-list

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 15, 2023
Vulnerability Reserved
Feb 14, 2023