Jenkins Build Failure Analyzer Plugin Cross-site Scripting vulnerability
High severity
GitHub Reviewed
Published
Sep 20, 2023
to the GitHub Advisory Database
•
Updated Nov 12, 2023
Package
Affected versions
< 2.4.2
Patched versions
2.4.2
Description
Published by the National Vulnerability Database
Sep 20, 2023
Published to the GitHub Advisory Database
Sep 20, 2023
Reviewed
Sep 21, 2023
Last updated
Nov 12, 2023
Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier does not escape Failure Cause names in build logs.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or update Failure Causes.
Build Failure Analyzer Plugin 2.4.2 escapes Failure Cause names in build logs.
References