Bug 2177629 (CVE-2023-27898)
Summary: | CVE-2023-27898 Jenkins: XSS vulnerability in plugin manager | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Avinash Hanwate <ahanwate> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | abenaiss, agawand, dfreiber, ellin, jburrell, rogbas, scorneli, security-response-team, shbose, vkumar |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Jenkins 2.394, LTS 2.375.4, LTS 2.387.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Jenkins. Affected versions of Jenkins do not escape the Jenkins version that a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins in the plugin manager. This issue results in a stored Cross-site scripting (XSS) vulnerability, exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-04-12 17:39:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2177137 |
Description
Avinash Hanwate
2023-03-13 08:15:39 UTC
Do we have any workaround for this ? If we upgrade the Jenkins to latest version will it fix this issue ? In reply to comment #2: > Do we have any workaround for this ? > > If we upgrade the Jenkins to latest version will it fix this issue ? Hi Asmita, There is no known workaround as of now. To fix this vulnerability it is recommended to upgrade the versions to Jenkins 2.394, LTS 2.375.4, LTS 2.387.1 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2023:1655 https://access.redhat.com/errata/RHSA-2023:1655 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-27898 This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.11 Via RHSA-2023:3663 https://access.redhat.com/errata/RHSA-2023:3663 |