First published: Wed Jul 26 2023(Updated: )
Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
Jenkins Jenkins | <=2.415 | |
Jenkins Jenkins | <=2.401.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-39151 is a vulnerability in Jenkins 2.415 and earlier, 2.414 and earlier, and LTS 2.401.2 and earlier that allows stored cross-site scripting (XSS) attacks through unsanitized URLs in build logs.
CVE-2023-39151 has a severity score of 8, indicating a high severity.
CVE-2023-39151 affects Jenkins versions 2.415 and earlier, 2.414 and earlier, and LTS 2.401.2 and earlier.
CVE-2023-39151 is associated with CWE-79 (Cross-site Scripting).
To mitigate CVE-2023-39151, it is recommended to update Jenkins to version 2.416, 2.414.1, or 2.401.3, which contain the necessary fixes.