CVE-2023-25761
published 2023-02-15CVE-2023-25761: Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site…
PriorityP424medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.70%
48.4th percentile
Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by the plugin.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | azure_credentials_plugin | — | — |
| jenkins | build_step_plugin | — | — |
| jenkins | config_file_provider_plugin | — | — |
| jenkins | email_extension_plugin | — | — |
| jenkins | junit | <= 1166.va_436e268e972 | — |
| jenkins | junit_plugin | — | — |
| jenkins | junit_resources_processed_by_the_plugin | — | — |
| jenkins | synopsys_coverity_plugin | — | — |
| jenkins_project | jenkins_junit_plugin | unspecified – 1166.va_436e268e972 | — |
| msrc | cbl2_junit_4.13-5_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vendor_msrc5.4MEDIUM
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin
vendor_redhat·2023-02-15·CVSS 5.4
CVE-2023-25761 [MEDIUM] CWE-79 jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin
jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin
Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by the plugin.
A flaw was found in the Jenkins JUnit plugin. The affected versions of the JUnit Plugin do not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability. This may allow an attacker to control test case class names in the JUnit resources processed by the plugin.
Statement: OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the
Jenkins
Jenkins Security Advisory 2023-02-15
vendor_jenkins·2023-02-15·CVSS 5.4
CVE-2023-23847 [MEDIUM] Jenkins Security Advisory 2023-02-15
Title: Jenkins Security Advisory 2023-02-15
Jenkins Security Advisory 2023-02-15
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Azure Credentials
Plugin
Email Extension
Plugin
JUnit
Plugin
Pipeline: Build Step
Plugin
Synopsys Coverity
Plugin
Descriptions
Stored XSS vulnerability in JUnit Plugin
SE
Microsoft
Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by atta
vendor_msrc·2023-02-14·CVSS 5.4
CVE-2023-25761 [MEDIUM] CWE-79 Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by atta
Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by the plugin.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog po
GHSA
Cross-site Scripting in Jenkins JUnit Plugin
ghsa·2023-02-15
CVE-2023-25761 [MEDIUM] CWE-79 Cross-site Scripting in Jenkins JUnit Plugin
Cross-site Scripting in Jenkins JUnit Plugin
Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by the plugin.
OSV
Cross-site Scripting in Jenkins JUnit Plugin
osv·2023-02-15
CVE-2023-25761 [MEDIUM] Cross-site Scripting in Jenkins JUnit Plugin
Cross-site Scripting in Jenkins JUnit Plugin
Jenkins JUnit Plugin 1166.va_436e268e972 and earlier does not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control test case class names in the JUnit resources processed by the plugin.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-02-15
Published