CVE-2023-32977

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline: Job Plugin versions 1292.v27d8cc3e2602 and earlier

Description The Jenkins Pipeline: Job Plugin does not escape the display name of the build that caused an earlier build to be aborted, resulting in a stored cross-site scripting (XSS) vulnerability. This issue is exploitable by attackers able to set build display names immediately. The vulnerability occurs when the "Do not allow concurrent builds" option is set. It is noted that the build name must be set before the build starts, and the Jenkins security team is not aware of any plugins that allow the exploitation of this vulnerability.

Recommendations For Jenkins Pipeline: Job Plugin versions 1292.v27d8cc3e2602 and earlier, update to version 1295.v395eb 7400005 or later, which escapes the display name of the build that caused an earlier build to be aborted, thereby resolving the stored cross-site scripting (XSS) vulnerability.