Description

Jenkins update-center2 3.13 and 3.14 renders the required Jenkins core version on plugin download index pages without sanitization, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide a plugin for hosting.

Remediation

References

https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3063

Related Vulnerabilities

CVE-2013-6468 Vulnerability in maven package org.drools:drools-workbench-models-test-scenarios

CVE-2016-6814 Vulnerability in maven package org.codehaus.groovy:groovy-all

CVE-2023-28640 Vulnerability in maven package io.apiman:apiman-manager-api-rest-impl

CVE-2013-2172 Vulnerability in maven package org.apache.santuario:xmlsec

CVE-2019-1354 Vulnerability in npm package nodegit

Severity

Critical

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Tags

Vendor Advisory