PT-2023-25165 · Jenkins · Jenkins Template Workflows Plugin+1
Alvaro Muñoz
+1
·
Published
2023-06-14
·
Updated
2023-06-23
·
CVE-2023-35146
CVSS v3.1
8.0
High
| Vector | AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Jenkins Template Workflows Plugin versions 41.v32d86a 313b 4a and earlier
Description
The issue results in a stored cross-site scripting (XSS) vulnerability. This occurs because the plugin does not escape names of jobs used as building blocks for Template Workflow Job. Attackers who can create jobs may exploit this vulnerability.
Recommendations
For Jenkins Template Workflows Plugin versions 41.v32d86a 313b 4a and earlier, consider disabling the Template Workflow Job feature until a patch is available to prevent exploitation of the stored cross-site scripting vulnerability. Restrict access to job creation to minimize the risk of exploitation.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Template Workflows Plugin