2226895 – (CVE-2023-39151) CVE-2023-39151 jenkins: Stored cross-site scripting via build logs

Bug 2226895 (CVE-2023-39151) - CVE-2023-39151 jenkins: Stored cross-site scripting via build logs

Summary: CVE-2023-39151 jenkins: Stored cross-site scripting via build logs

Keywords:
Status:	NEW
Alias:	CVE-2023-39151
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Sayan Biswas
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2226896
TreeView+	depends on / blocked

Reported:	2023-07-26 21:02 UTC by Pedro Sampaio
Modified:	2024-11-30 08:27 UTC (History)
CC List:	8 users (show)
Fixed In Version:	Jenkins 2.416, jenkins LTS 2.401.3
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2023-07-26 21:02:27 UTC

Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks.

Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.

Jenkins 2.416, LTS 2.401.3 encodes URLs of affected hyperlink annotations in build logs.

References:

https://www.jenkins.io/security/advisory/2023-07-26/#SECURITY-3188

Note You need to log in before you can comment on or make changes to this bug.