Bug 2226895 (CVE-2023-39151) - CVE-2023-39151 jenkins: Stored cross-site scripting via build logs
Summary: CVE-2023-39151 jenkins: Stored cross-site scripting via build logs
Keywords:
Status: NEW
Alias: CVE-2023-39151
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Sayan Biswas
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2226896
TreeView+ depends on / blocked
 
Reported: 2023-07-26 21:02 UTC by Pedro Sampaio
Modified: 2024-02-12 14:52 UTC (History)
10 users (show)

Fixed In Version: Jenkins 2.416, jenkins LTS 2.401.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Jenkins, where Jenkins weekly and LTS are vulnerable to Cross-site scripting caused by the improper validation of user-supplied input. A remote, authenticated attacker can inject malicious script into a web page, which would be executed in a victim's Web browser within the security context of the hosting Web site once the page is viewed. This flaw allows an attacker to steal the victim's cookie-based authentication credentials.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2023-07-26 21:02:27 UTC
Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks.

Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.

Jenkins 2.416, LTS 2.401.3 encodes URLs of affected hyperlink annotations in build logs.

References:

https://www.jenkins.io/security/advisory/2023-07-26/#SECURITY-3188


Note You need to log in before you can comment on or make changes to this bug.