PT-2023-20286 · Jenkins · Jenkins Pipeline: Build Step Plugin+1

Kevin Guerroudj

·

Publicado

2023-02-15

·

Atualizado

2025-03-19

·

CVE-2023-25762

CVSS v3.1

5.4

Média

VetorAV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Jenkins Pipeline: Build Step Plugin versions 2.18 and earlier
Description The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because job names in a JavaScript expression used in the Pipeline Snippet Generator are not properly escaped. This allows attackers who can control job names to exploit the vulnerability.
Recommendations For Jenkins Pipeline: Build Step Plugin versions 2.18 and earlier, update to a version later than 2.18 to resolve the issue. As a temporary workaround, consider restricting the ability to control job names to minimize the risk of exploitation.

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

CVE-2023-25762
GHSA-9J65-3F2Q-8Q2R
RHSA-2023:1866
RHSA-2023:3195
RHSA-2023:3198
RHSA-2023:3299
RHSA-2023:6171
RHSA-2023:6172
RHSA-2023:6179
RHSA-2023:7288
RHSA-2024:0775
RHSA-2024:0776
RHSA-2024:0777
RHSA-2024:0778

Produtos afetados

Jenkins
Jenkins Pipeline: Build Step Plugin