CVE-2023-27898

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.270 through 2.393 Jenkins LTS versions 2.277.1 through 2.375.3

Description The issue is related to errors in handling HTTP headers, which can allow a remote attacker to perform cross-site scripting (XSS) attacks. The vulnerability is exploitable by attackers who can provide plugins to the configured update sites and have the error message shown by Jenkins instances. This results in a stored cross-site scripting (XSS) vulnerability.

Recommendations For Jenkins versions 2.270 through 2.393, update to a version outside of this range to resolve the issue. For Jenkins LTS versions 2.277.1 through 2.375.3, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the plugin update sites to minimize the risk of exploitation.