Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-27898

Опубликовано: 10 мар. 2023
Источник: redhat
CVSS3: 8.8

Описание

Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.

A flaw was found in Jenkins. Affected versions of Jenkins do not escape the Jenkins version that a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins in the plugin manager. This issue results in a stored Cross-site scripting (XSS) vulnerability, exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.

Отчет

OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenShift Container Platform 3.11jenkinsOut of support scope
OpenShift Developer Tools and Services for OCP 4.11jenkinsFixedRHSA-2023:366319.06.2023
Red Hat OpenShift Container Platform 4.10jenkinsFixedRHSA-2023:165512.04.2023

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=2177629Jenkins: XSS vulnerability in plugin manager

8.8 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2023-27898

CVSS3: 9.6
nvd
почти 3 года назад

Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.

debian логотип

CVE-2023-27898

CVSS3: 9.6
debian
почти 3 года назад

Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.37 ...

github логотип

GHSA-j664-qhh4-hpf8

CVSS3: 8.8
github
почти 3 года назад

Cross-site Scripting vulnerability in Jenkins

fstec логотип

BDU:2023-02017

CVSS3: 3.5
fstec
почти 3 года назад

Уязвимость сервера автоматизации Jenkins, связанная с ошибками обработки HTTP-заголовков, позволяющая нарушителю осуществлять межсайтовые сценарные атаки (XSS)

8.8 High

CVSS3