Description

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.

Remediation

References

https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1781

http://www.openwall.com/lists/oss-security/2020/03/25/2

Related Vulnerabilities

CVE-2023-4853 Vulnerability in maven package io.quarkus:quarkus-undertow

CVE-2017-5656 Vulnerability in maven package org.apache.cxf:cxf-rt-ws-security

CVE-2023-3691 Vulnerability in maven package org.webjars.npm:layui

CVE-2023-26156 Vulnerability in npm package chromedriver

CVE-2023-28709 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory