Описание
Jenkins Stored Cross-site Scripting vulnerability
Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks. Jenkins 2.415 and earlier, 2.414 and earlier, and LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents. Jenkins 2.416, 2.414.1, and LTS 2.401.3 encodes URLs of affected hyperlink annotations in build logs.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2023-39151
- https://github.com/jenkinsci/jenkins/commit/1b9f1ccdbb7d00705b036d1332908fe52c2cd7ae
- https://github.com/CVEProject/cvelist/blob/975222d6e43b5b1296dbc8a67d03704a1d2554e8/2023/39xxx/CVE-2023-39151.json
- https://www.jenkins.io/security/advisory/2023-07-26/#SECURITY-3188
- http://www.openwall.com/lists/oss-security/2023/07/26/2
Пакеты
org.jenkins-ci.main:jenkins-core
>= 2.402, < 2.414.1
2.414.1
org.jenkins-ci.main:jenkins-core
< 2.401.3
2.401.3
org.jenkins-ci.main:jenkins-core
= 2.415
2.416
Связанные уязвимости
Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.
Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.
Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize o ...