Jenkins.XSS.vulnerability.in.plugin.manager
Description
Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins in the plugin manager.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.
Affected Products
Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive)
Impact
Cross-site scripting: Remote attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.
Recommended Actions
Apply the most recent upgrade or patch from the vendor.
Version Updates
Date | Version | Detail |
---|---|---|
2023-04-28 | 0.00347 |