Stored Cross-Site Scripting in Jenkins TestNG Results Plugin
CVE-2023-32984

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Testng Results Plugin
Vendor: CVE Published:; 16 May 2023

Summary

The Jenkins TestNG Results Plugin prior to version 730.v4c5283037693 has a stored cross-site scripting (XSS) vulnerability. This issue arises because the plugin does not properly escape certain values parsed from TestNG report files, allowing attackers to craft malicious report files. When these files are displayed on the plugin’s test information pages, an attacker could potentially execute arbitrary JavaScript in the context of an authenticated Jenkins user, leading to the compromise of sensitive information.

Affected Version(s)

Jenkins TestNG Results Plugin 0 <= 730.v4c5283037693

References

https://www.jenkins.io/security/advisory/2023-05-16/#SECU...

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 16, 2023
Vulnerability Reserved
May 16, 2023