Описание
Jenkins Pipeline: Job Plugin does not escape the display name of the build that caused an earlier build to be aborted, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately.
A flaw was found in the Jenkins Pipeline: Job Plugin. Affected versions of Jenkins Pipeline: Job Plugin are vulnerable to Cross-site scripting caused by improper validation of user-supplied input. This flaw allows a remote authenticated attacker to inject malicious script into a Web page, which would then be executed in a victim's Web browser within the security context of the hosting Web site once the page is viewed. The attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Отчет
OpenShift 3.11 is in ELS. Jenkins and its related technologies will not be supported under ELS. Hence, OpenShift 3.11 is marked as affected/won'tfix.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.11 | jenkins-2-plugins | Will not fix | ||
| OCP-Tools-4.12-RHEL-8 | jenkins-2-plugins | Fixed | RHSA-2023:3610 | 15.06.2023 |
| OpenShift Developer Tools and Services for OCP 4.11 | jenkins-2-plugins | Fixed | RHSA-2023:3663 | 19.06.2023 |
| Red Hat OpenShift Container Platform 4.10 | jenkins-2-plugins | Fixed | RHSA-2023:3625 | 23.06.2023 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Jenkins Pipeline: Job Plugin does not escape the display name of the build that caused an earlier build to be aborted, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately.
Jenkins Pipeline: Job Plugin vulnerable to stored Cross-site Scripting
EPSS
7.5 High
CVSS3