Description

Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.

Remediation

References

CVE-2023-27898

Related Vulnerabilities

Oracle HTTP Server Loop with Unreachable Exit Condition ('Infinite Loop') Vulnerability (CVE-2021-4184)

CherryPy Other Vulnerability (CVE-2006-0847)

WordPress Plugin ProfileGrid-User Profiles, Memberships, Groups and Communities Cross-Site Scripting (4.7.4)

WordPress Plugin Copy or Move Comments Multiple Vulnerabilities (1.0.0)

Oracle Database Server Other Vulnerability (CVE-2006-7141)

Severity

Critical

Classification

CVE-2023-27898 CWE-707 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities