PT-2023-25163 · Jenkins · Jenkins Maven Repository Server Plugin+1

Cc Bomber

Published

2023-06-14

Updated

2025-01-02

CVE-2023-35144

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Maven Repository Server Plugin versions 1.10 and earlier

Description The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because the plugin does not escape project and build display names on the Build Artifacts As Maven Repository page. This allows for the storage of malicious scripts that can be executed when the page is viewed.

Recommendations For Jenkins Maven Repository Server Plugin versions 1.10 and earlier, update to a version later than 1.10 to resolve the issue. As a temporary workaround, consider restricting access to the Build Artifacts As Maven Repository page to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2023-35144

GHSA-39R8-4962-J7VG

Affected Products

Jenkins

Jenkins Maven Repository Server Plugin

PT-2023-25163 · Jenkins · Jenkins Maven Repository Server Plugin+1

CVE-2023-35144

Weakness Enumeration

Related Identifiers

Affected Products

References · 7