PT-2023-20286 · Jenkins · Jenkins Pipeline: Build Step Plugin+1

Kevin Guerroudj

Published

2023-02-15

Updated

2025-03-19

CVE-2023-25762

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline: Build Step Plugin versions 2.18 and earlier

Description The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because job names in a JavaScript expression used in the Pipeline Snippet Generator are not properly escaped. This allows attackers who can control job names to exploit the vulnerability.

Recommendations For Jenkins Pipeline: Build Step Plugin versions 2.18 and earlier, update to a version later than 2.18 to resolve the issue. As a temporary workaround, consider restricting the ability to control job names to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2023-25762

GHSA-9J65-3F2Q-8Q2R

RHSA-2023:1866

RHSA-2023:3195

RHSA-2023:3198

RHSA-2023:3299

RHSA-2023:6171

RHSA-2023:6172

RHSA-2023:6179

RHSA-2023:7288

RHSA-2024:0775

RHSA-2024:0776

RHSA-2024:0777

RHSA-2024:0778

Affected Products

Jenkins

Jenkins Pipeline: Build Step Plugin

PT-2023-20286 · Jenkins · Jenkins Pipeline: Build Step Plugin+1

CVE-2023-25762

Weakness Enumeration

Related Identifiers

Affected Products

References · 10