Description

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.

Remediation

References

https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923

Related Vulnerabilities

CVE-2023-28673 Vulnerability in maven package org.jenkinsci.plugins:octoperf

CVE-2023-35152 Vulnerability in maven package org.xwiki.platform:xwiki-platform-like-ui

CVE-2020-2289 Vulnerability in maven package org.biouno:uno-choice

CVE-2023-40348 Vulnerability in maven package org.jenkins-ci.plugins:gogs-webhook

CVE-2023-45135 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-war

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Tags

Vendor Advisory