CVE-2023-39151: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

July 26, 2023 (updated August 3, 2023)

Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.

References

www.openwall.com/lists/oss-security/2023/07/26/2
nvd.nist.gov/vuln/detail/CVE-2023-39151
www.jenkins.io/security/advisory/2023-07-26/

Detect and mitigate CVE-2023-39151 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →