Description

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/03/25/2

https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1781

Related Vulnerabilities

CVE-2022-41251 Vulnerability in maven package org.jenkins-ci.plugins:apprenda

CVE-2023-3691 Vulnerability in maven package org.webjars.bower:layui

CVE-2022-29546 Vulnerability in maven package net.sourceforge.nekohtml:nekohtml

CVE-2020-6452 Vulnerability in maven package org.webjars.npm:electron

CVE-2023-40350 Vulnerability in maven package org.jenkins-ci.plugins:docker-swarm

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory