Stored Cross-Site Scripting Vulnerability in Jenkins AnchorChain Plugin
CVE-2025-30196

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Anchorchain Plugin
Vendor: CVE Published:; 19 March 2025

Summary

The Jenkins AnchorChain Plugin version 1.0 creates links based on workspace content without restricting URL schemes. This design flaw enables the use of the javascript: scheme, leading to a stored XSS vulnerability. Attackers can exploit this weakness by controlling the input files for the Anchor Chain post-build step, posing a significant threat to application security.

Affected Version(s)

Jenkins AnchorChain Plugin 1.0

References

https://www.jenkins.io/security/advisory/2025-03-19/#SECU...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 19, 2025
Vulnerability Reserved
Mar 18, 2025