CVE-2023-27898

CWE-79Cross-site Scripting (XSS)6 documents6 sources
Severity
9.6CRITICAL
EPSS
2.8%
top 13.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project JenkinsJenkins Jenkins
Timeline
PublishedMar 10

Description

Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 2.8 | Impact: 6.0

Affected Packages3 packages

NVDjenkins/jenkins2.2702.394+1
CVEListV5jenkins_project/jenkins2.2702.*
Mavenorg.jenkins-ci.main:jenkins-core2.3762.394+1

🔴Vulnerability Details

3
OSV
Cross-site Scripting vulnerability in Jenkins2023-03-10
GHSA
Cross-site Scripting vulnerability in Jenkins2023-03-10
CVEList
CVE-2023-27898: Jenkins 22023-03-08

📋Vendor Advisories

2
Red Hat
Jenkins: XSS vulnerability in plugin manager2023-03-10
Jenkins
Jenkins Security Advisory 2023-03-082023-03-08
CVE-2023-27898 (CRITICAL CVSS 9.6) | Jenkins 2.270 through 2.393 (both i | cvebase.io