Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-25762

Опубликовано: 15 фев. 2023
Источник: redhat
CVSS3: 5.4
EPSS Средний

Описание

Jenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control job names.

A flaw was found in the Jenkins pipeline-build-step plugin. Affected versions of the pipeline-build-step plugin do not escape job names in a JavaScript expression used in the Pipeline Snippet Generator. This can result in a stored cross-site scripting (XSS) vulnerability that may allow attackers to control job names.

Отчет

OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support, therefore, the OpenShift 3.11 Jenkins component is marked as out of support scope in this CVE.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenShift Container Platform 3.11jenkins-2-pluginsOut of support scope
OCP-Tools-4.12-RHEL-8jenkins-2-pluginsFixedRHSA-2023:319518.05.2023
OCP-Tools-4.12-RHEL-8jenkins-2-pluginsFixedRHSA-2023:617230.10.2023
OCP-Tools-4.12-RHEL-8jenkins-2-pluginsFixedRHSA-2024:077812.02.2024
OCP-Tools-4.13-RHEL-8jenkins-2-pluginsFixedRHSA-2023:329924.05.2023
OCP-Tools-4.13-RHEL-8jenkins-2-pluginsFixedRHSA-2023:617930.10.2023
OCP-Tools-4.13-RHEL-8jenkins-2-pluginsFixedRHSA-2024:077612.02.2024
OCP-Tools-4.14-RHEL-8jenkins-2-pluginsFixedRHSA-2023:728816.11.2023
OCP-Tools-4.14-RHEL-8jenkins-2-pluginsFixedRHSA-2024:077712.02.2024
OpenShift Developer Tools and Services for OCP 4.11jenkins-2-pluginsFixedRHSA-2023:319817.05.2023

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=2170041jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin

EPSS

Процентиль: 98%
0.60432
Средний

5.4 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2023-25762

CVSS3: 5.4
nvd
почти 3 года назад

Jenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control job names.

github логотип

GHSA-9j65-3f2q-8q2r

CVSS3: 5.4
github
почти 3 года назад

Cross-site Scripting in Jenkins Pipeline: Build Step Plugin

EPSS

Процентиль: 98%
0.60432
Средний

5.4 Medium

CVSS3