CVE-2023-27898

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.jenkins-ci.main/jenkins-core

Identifiers

CVE-2023-27898

Package Slug

maven/org.jenkins-ci.main/jenkins-core

Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.

Affected Versions

All versions starting from 2.270 before 2.394

Solution

Upgrade to version 2.394 or above.

Last Modified

2023-03-17

source