CVE-2023-27898

Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.

Published: Mar 10, 2023
Updated: May 10, 2024
CVE: CVE-2023-27898
GHSA: GHSA-j664-qhh4-hpf8
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.6
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
jenkins / jenkins	2.270	2.394
jenkins / jenkins	2.277.1	2.375.4
org.jenkins-ci.main / jenkins-core	2.376	2.394
org.jenkins-ci.main / jenkins-core	-	2.375.4

https://github.com/jenkinsci/jenkins/commit/59ac866d9946d7c296023da0ea78baafd4cf71eb
https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3037

Vulnerability Database

289,599

CVE-2023-27898