CVE-2023-43495

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.423 and earlier, LTS versions 2.414.1 and earlier

Description The issue is related to the lack of escaping of the caption constructor parameter value of ExpandableDetailsNote, resulting in a stored cross-site scripting (XSS) vulnerability. This vulnerability can be exploited by attackers who can control this parameter, potentially allowing them to manage files in workspaces. The ExpandableDetailsNote feature allows annotating build log content with additional information that can be revealed when interacted with.

Recommendations For Jenkins versions 2.423 and earlier, update to version 2.424 or later. For LTS versions 2.414.1 and earlier, update to version 2.414.2 or later. As a temporary workaround, consider restricting access to the ExpandableDetailsNote feature until a patch is available. Avoid using the caption parameter in the affected ExpandableDetailsNote constructor until the issue is resolved.