Stored Cross-Site Scripting in Jenkins Build Failure Analyzer Plugin
CVE-2023-43499

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Build Failure Analyzer Plugin
Vendor: CVE Published:; 20 September 2023

Summary

The Jenkins Build Failure Analyzer Plugin up to version 2.4.1 is susceptible to a stored cross-site scripting vulnerability. This issue arises because the plugin fails to properly escape Failure Cause names in build logs. Attackers with the capability to create or modify Failure Causes could exploit this flaw to inject malicious scripts, posing a significant security risk. Users are advised to upgrade to the latest version to mitigate this vulnerability.

Affected Version(s)

Jenkins Build Failure Analyzer Plugin 0 <= 2.4.1

References

https://www.jenkins.io/security/advisory/2023-09-20/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/09/20/5

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 20, 2023
Vulnerability Reserved
Sep 19, 2023