Security context
High· 8.0GHSA-5j46-5hwq-gwh7 CVE-2023-43495CWE-79Published Sep 20, 2023

Jenkins Cross-site Scripting vulnerability

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

2.50 → fixed in 2.414.22.415 → fixed in 2.424

Details

`ExpandableDetailsNote` allows annotating build log content with additional information that can be revealed when interacted with. Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the `caption` constructor parameter of `ExpandableDetailsNote`. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide `caption` parameter values. As of publication, the related API is not used within Jenkins (core), and the Jenkins security team is not aware of any affected plugins. Jenkins 2.424, LTS 2.414.2 escapes `caption` constructor parameter values.

The fix

No fix commit could be resolved for this advisory (it may reference an issue tracker or a non-GitHub patch). See the references below.

References