CVE-2023-32977: XSS
First published: Tue May 16 2023(Updated: )
Jenkins Pipeline: Job Plugin 1292.v27d8cc3e2602 and earlier does not escape the display name of the build that caused an earlier build to be aborted, when "Do not allow concurrent builds" is set. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately. The Jenkins security team is not aware of any plugins that allow the exploitation of this vulnerability, as the build name must be set before the build starts. Pipeline: Job Plugin 1295.v395eb_7400005 escapes the display name of the build that caused an earlier build to be aborted.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| <=1292.v27d8cc3e2602 | ||
| Jenkins Pipeline\ | <=1292.v27d8cc3e2602 | |
| maven/org.jenkins-ci.plugins.workflow:workflow-job | <1295.v395eb | 1295.v395eb |
| redhat/Pipeline Job Plugin | <1295. | 1295. |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2023-32977
- https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3042
- https://github.com/jenkinsci/workflow-job-plugin/commit/395eb740000509bff789c7f409c90f2a4a738821
- https://github.com/advisories/GHSA-2wvv-phhw-qvmc (Advisory)
- https://access.redhat.com/errata/RHSA-2023:3610
- https://access.redhat.com/errata/RHSA-2023:3663
- https://access.redhat.com/errata/RHSA-2023:3625
- https://access.redhat.com/security/cve/cve-2023-32977
- https://bugzilla.redhat.com/show_bug.cgi?id=2207830
Frequently Asked Questions
What is the severity of CVE-2023-32977?
CVE-2023-32977 has been rated as a medium severity stored cross-site scripting (XSS) vulnerability.
How do I fix CVE-2023-32977?
To fix CVE-2023-32977, update the Jenkins Pipeline: Job Plugin to version 1295.v395eb or later.
Who is affected by CVE-2023-32977?
CVE-2023-32977 affects users running Jenkins Pipeline: Job Plugin version 1292.v27d8cc3e2602 or earlier.
What type of vulnerability is CVE-2023-32977?
CVE-2023-32977 is a stored cross-site scripting (XSS) vulnerability allowing attackers to inject malicious scripts into web pages.
When was CVE-2023-32977 disclosed?
CVE-2023-32977 was disclosed on May 16, 2023.
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-2wvv-phhw-qvmc
- alias/CVE-2023-32977
- agent/type
- agent/first-publish-date
- agent/author
- agent/softwarecombine
- agent/references
- agent/weakness
- agent/severity
- collector/github-advisory
- source/GitHub
- agent/software-canonical-lookup
- collector/redhat-bugzilla
- source/Red Hat
- collector/nvd-cve
- source/NVD
- agent/event
- agent/description
- agent/trending
- agent/source
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-api
- vendor/jenkins
- canonical/jenkins pipeline\
- version/jenkins pipeline\/1292.v27d8cc3e2602
- package-manager/maven
- package-manager/redhat