CVE-2023-25762 — Cross-site Scripting in Project Jenkins Pipeline Build Step Plugin

CWE-79 — Cross-site Scripting6 documents6 sources

Severity

5.4MEDIUMNVD

EPSS

65.3%

top 1.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Pipeline Build Step Plugin Jenkins Pipeline

Timeline

PublishedFeb 15

Description

Jenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control job names.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_pipeline_build_step_pluginunspecified — 2.18

▶NVDjenkins/pipeline2.18

🔴Vulnerability Details

CVEList

CVE-2023-25762: Jenkins Pipeline: Build Step Plugin 2↗2023-02-15

▶

GHSA

Cross-site Scripting in Jenkins Pipeline: Build Step Plugin↗2023-02-15

▶

OSV

Cross-site Scripting in Jenkins Pipeline: Build Step Plugin↗2023-02-15

▶

📋Vendor Advisories

Red Hat

jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin↗2023-02-15

▶

Jenkins

Jenkins Security Advisory 2023-02-15↗2023-02-15

▶