Stored Cross-Site Scripting in Jenkins Pipeline Job Plugin
CVE-2023-32977

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Pipeline: Job Plugin
Vendor: CVE Published:; 16 May 2023

Summary

The Jenkins Pipeline Job Plugin is susceptible to a stored cross-site scripting vulnerability due to improper escaping of the display name for builds. This flaw could allow malicious users, capable of setting build display names, to execute arbitrary JavaScript code in the context of other users' browsers. As a result, sensitive data could be compromised, and user sessions hijacked without the need for direct user interaction. It is crucial to update to the patched version to mitigate this security risk.

Affected Version(s)

Jenkins Pipeline: Job Plugin 1295.v395eb_7400005

Jenkins Pipeline: Job Plugin 1289.1291.vb_7c188e7e7df < 1289.*

References

https://www.jenkins.io/security/advisory/2023-05-16/#SECU...

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 16, 2023
Vulnerability Reserved
May 16, 2023