CVE-2023-27905

Name of the Vulnerable Software and Affected Versions Jenkins update-center2 versions 3.13 through 3.14

Description The issue is related to a stored cross-site scripting (XSS) vulnerability. This occurs because the required Jenkins core version on plugin download index pages is rendered without sanitization. Attackers who can provide a plugin for hosting may exploit this vulnerability, potentially allowing them to perform cross-site scripting attacks. The vulnerability is associated with errors in processing HTTP headers, which can be exploited by a remote attacker to carry out XSS attacks.

Recommendations For Jenkins update-center2 versions 3.13 and 3.14, consider disabling the rendering of the required Jenkins core version on plugin download index pages until a patch is available. Restrict access to plugin hosting to minimize the risk of exploitation. Avoid using unsanitized input in the affected plugin download index pages. At the moment, there is no information about a newer version that contains a fix for this vulnerability.