CVE-2023-43499

CWE-79 — Cross-site Scripting (XSS)5 documents5 sources

Severity

5.4MEDIUM

EPSS

4.3%

top 11.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Build Failure Analyzer Jenkins Project Jenkins Build Failure Analyzer Plugin

Timeline

PublishedSep 20

Description

Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier does not escape Failure Cause names in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or update Failure Causes.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶Mavencom.sonyericsson.jenkins.plugins.bfa:build-failure-analyzer< 2.4.2

▶CVEListV5jenkins_project/jenkins_build_failure_analyzer_plugin2.4.1

▶NVDjenkins/build_failure_analyzer< 2.4.2

🔴Vulnerability Details

GHSA

Jenkins Build Failure Analyzer Plugin Cross-site Scripting vulnerability↗2023-09-20

▶

CVEList

CVE-2023-43499: Jenkins Build Failure Analyzer Plugin 2↗2023-09-20

▶

OSV

Jenkins Build Failure Analyzer Plugin Cross-site Scripting vulnerability↗2023-09-20

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2023-09-20↗2023-09-20

▶