First published: Wed Sep 20 2023(Updated: )
`ExpandableDetailsNote` allows annotating build log content with additional information that can be revealed when interacted with. Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the `caption` constructor parameter of `ExpandableDetailsNote`. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide `caption` parameter values. As of publication, the related API is not used within Jenkins (core), and the Jenkins security team is not aware of any affected plugins. Jenkins 2.424, LTS 2.414.2 escapes `caption` constructor parameter values.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
Jenkins Jenkins | <2.414.2 | |
Jenkins Jenkins | <2.424 | |
maven/org.jenkins-ci.main:jenkins-core | >=2.415<2.424 | 2.424 |
maven/org.jenkins-ci.main:jenkins-core | >=2.50<2.414.2 | 2.414.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-43495 is a vulnerability in Jenkins 2.423 and earlier LTS 2.414.1 and earlier that allows an attacker to execute arbitrary code.
CVE-2023-43495 can result in a store XSS vulnerability, allowing an attacker to inject malicious code into the Jenkins build log.
Jenkins versions 2.423 and earlier, as well as LTS versions 2.414.1 and earlier are affected.
CVE-2023-43495 has a severity rating of 8, which is considered high.
To mitigate CVE-2023-43495, update your Jenkins installation to version 2.424 or higher.