PT-2023-28845 · Jenkins · Jenkins Build Failure Analyzer Plugin+1

Yaroslav Afenkin

Published

2023-09-20

Updated

2023-09-27

CVE-2023-43499

CVSS v3.1

8.0

High

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins Build Failure Analyzer Plugin versions 2.4.1 and earlier

Description The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because the Jenkins Build Failure Analyzer Plugin does not escape Failure Cause names in build logs. This makes it exploitable by attackers who can create or update Failure Causes.

Recommendations For Jenkins Build Failure Analyzer Plugin versions 2.4.1 and earlier, update to version 2.4.2 or later, which escapes Failure Cause names in build logs, to resolve the issue.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2023-43499

GHSA-262F-77Q5-RQV6

Affected Products

Jenkins

Jenkins Build Failure Analyzer Plugin

PT-2023-28845 · Jenkins · Jenkins Build Failure Analyzer Plugin+1

CVE-2023-43499

Weakness Enumeration

Related Identifiers

Affected Products

References · 10