PT-2023-28845 · Jenkins · Jenkins Build Failure Analyzer Plugin+1

Yaroslav Afenkin

Publicado

2023-09-20

Atualizado

2023-09-27

CVE-2023-43499

CVSS v3.1

8.0

Alta

Vetor

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins Build Failure Analyzer Plugin versions 2.4.1 and earlier

Description The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because the Jenkins Build Failure Analyzer Plugin does not escape Failure Cause names in build logs. This makes it exploitable by attackers who can create or update Failure Causes.

Recommendations For Jenkins Build Failure Analyzer Plugin versions 2.4.1 and earlier, update to version 2.4.2 or later, which escapes Failure Cause names in build logs, to resolve the issue.

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

CVE-2023-43499

GHSA-262F-77Q5-RQV6

Produtos afetados

Jenkins

Jenkins Build Failure Analyzer Plugin

PT-2023-28845 · Jenkins · Jenkins Build Failure Analyzer Plugin+1

CVE-2023-43499

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 10