Description

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/03/25/2

https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1781

Related Vulnerabilities

CVE-2021-39194 Vulnerability in maven package com.charleskorn.kaml:kaml

CVE-2020-7677 Vulnerability in npm package thenify

CVE-2020-6428 Vulnerability in npm package electron

CVE-2023-43123 Vulnerability in maven package org.apache.storm:storm-server

CVE-2023-30520 Vulnerability in maven package org.jenkins-ci.plugins:quayio-trigger

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory