Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances. https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3037
Do we have any workaround for this ? If we upgrade the Jenkins to latest version will it fix this issue ?
In reply to comment #2: > Do we have any workaround for this ? > > If we upgrade the Jenkins to latest version will it fix this issue ? Hi Asmita, There is no known workaround as of now. To fix this vulnerability it is recommended to upgrade the versions to Jenkins 2.394, LTS 2.375.4, LTS 2.387.1
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2023:1655 https://access.redhat.com/errata/RHSA-2023:1655
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-27898
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.11 Via RHSA-2023:3663 https://access.redhat.com/errata/RHSA-2023:3663