CVE-2023-46650: XSS
First published: Wed Oct 25 2023(Updated: )
Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins Github | <=1.37.3 | |
| maven/com.coravy.hudson.plugins.github:github | <1.37.3.1 | 1.37.3.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3246
- http://www.openwall.com/lists/oss-security/2023/10/25/2
- https://nvd.nist.gov/vuln/detail/CVE-2023-46650
- https://github.com/jenkinsci/github-plugin/commit/9e09678c445613521c45acce0ce525160747ff3e
- https://github.com/advisories/GHSA-mv77-fj63-q5w8 (Advisory)
Frequently Asked Questions
What is CVE-2023-46650?
CVE-2023-46650 is a vulnerability in Jenkins GitHub Plugin 1.37.3 and earlier that allows for stored cross-site scripting (XSS) attacks.
How severe is CVE-2023-46650?
CVE-2023-46650 has a severity rating of high, with a severity value of 8.
How can this vulnerability be exploited?
This vulnerability can be exploited by attackers with Item/Configure permission, allowing them to conduct stored cross-site scripting attacks.
What is the affected software?
The affected software is Jenkins GitHub Plugin 1.37.3 and earlier.
How do I fix CVE-2023-46650?
To fix CVE-2023-46650, update to version 1.37.3.1 of the Jenkins GitHub Plugin.
- collector/mitre-cve
- collector/nvd-api
- collector/nvd-cve
- collector/github-advisory-latest
- alias/GHSA-mv77-fj63-q5w8
- alias/CVE-2023-46650
- collector/github-advisory
- vendor/jenkins
- canonical/jenkins github
- version/jenkins github/1.37.3
- package-manager/maven