CVE-2023-27898
published 2023-03-10CVE-2023-27898: Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when…
PriorityP343critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
1.84%
76.3th percentile
Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | due_to_how_jenkins_community_update_sites_serve_plugin | — | — |
| jenkins | jenkins | >= 2.270 < 2.394 | 2.394 |
| jenkins | jenkins | >= 2.277.1 < 2.375.4 | 2.375.4 |
| jenkins | jenkins_community_update_sites_no_longer_publish_plugin | — | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_core_version_on_plugin | — | — |
| jenkins | jenkins_creates_a_temporary_file_when_a_plugin | — | — |
| jenkins | jenkins_in_the_plugin | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_project_has_distributed_a_single_plugin | — | — |
| jenkins | jenkins_security_team_has_confirmed_that_no_plugin | — | — |
| jenkins | jenkins_version_a_plugin | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | lts_2.387.1_escapes_the_jenkins_version_a_plugin | — | — |
| jenkins | no_other_plugin | — | — |
| jenkins | this_version_is_taken_from_plugin | — | — |
| jenkins_project | jenkins | >= 2.270 < 2.* | 2.* |
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vendor_redhat9.6CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Jenkins: XSS vulnerability in plugin manager
vendor_redhat·2023-03-10·CVSS 9.6
CVE-2023-27898 [CRITICAL] CWE-79 Jenkins: XSS vulnerability in plugin manager
Jenkins: XSS vulnerability in plugin manager
Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.
A flaw was found in Jenkins. Affected versions of Jenkins do not escape the Jenkins version that a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins in the plugin manager. This issue results in a stored Cross-site scripting (XSS) vulnerability, explo
Jenkins
Jenkins Security Advisory 2023-03-08
vendor_jenkins·2023-03-08·CVSS 9.6
CVE-2023-24998 [CRITICAL] Jenkins Security Advisory 2023-03-08
Title: Jenkins Security Advisory 2023-03-08
Jenkins Security Advisory 2023-03-08
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
update-center2
Descriptions
XSS vulnerability in plugin manager
SECURITY-3037
/
CVE-2023-27898
Severity (CVSS):
High
Description:
Jenkins 2.270 through 2.393 (b
OSV
Cross-site Scripting vulnerability in Jenkins
osv·2023-03-10
CVE-2023-27898 [HIGH] Cross-site Scripting vulnerability in Jenkins
Cross-site Scripting vulnerability in Jenkins
Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.
GHSA
Cross-site Scripting vulnerability in Jenkins
ghsa·2023-03-10
CVE-2023-27898 [HIGH] CWE-79 Cross-site Scripting vulnerability in Jenkins
Cross-site Scripting vulnerability in Jenkins
Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.
No detection rules found.
No public exploits indexed.
arXiv
PatchSeeker: Mapping NVD Records to their Vulnerability-fixing Commits with LLM Generated Commits and Embeddings
arxiv_fulltext·2025-09-09
PatchSeeker: Mapping NVD Records to their Vulnerability-fixing Commits with LLM Generated Commits and Embeddings
page1
[ ] : Mapping NVD Records to their Vulnerability-fixing Commits with LLM Generated Commits and Embeddings
Huu Hung Nguyen
Singapore Management University
Singapore
[email protected]
Anh Tuan Nguyen
[email protected]
Hanoi University of Science and Technology
Vietnam
Thanh Le-Cong
[email protected]
University of Melbourne
Australia
Yikun Li
Singapore Management University
Singapore
[email protected]
Han Wei ANG
GovTech
Singapore
[email protected]
Yide Yin
GovTech
Singapore
[email protected]
Frank Liauw
GovTech
Singapore
[email protected]
Shar Lwin Khin
Singapore Management University
Singapore
[email protected]
Ouh Eng Lieh
Singapore Management University
Singapore
[email protected]
Ting Zhang
Monash University
Wiz
The First Edition of Crying Out Cloud - The Newsletter! | Wiz
blogs_wiz·2023-04-11·CVSS 6.7
CVE-2023-25610 [MEDIUM] The First Edition of Crying Out Cloud - The Newsletter! | Wiz
The world of cloud security is ever-evolving, and the Wiz Research team is here to keep you updated. This month several impactful vulnerabilities were published, and we observed a few unfortunate security incidents which should be of interest to cloud customers.
Here's a summary of our top picks, enjoy!
## ✨ Highlights
## 🐞 High Profile Vulnerabilities
## Critical RCE vulnerability in Fortinet's FortiOS and FortiProxy
On March 7, Fortinet published an advisory for CVE-2023-25610, a critical buffer underwrite vulnerability in FortiOS. This vulnerability is a bug in the administrative interface which could allow a remote unauthenticated attacker to execute code using specially crafted requests. Based on Wiz data, 7% of cloud enterprise environments are still susceptible to this vulnerab
2023-03-10
Published