CVE-2023-32984 — Jenkins TestNG Results Plugin Stored Cross-site Scripting vulnerability

Description

Jenkins TestNG Results Plugin 730.v4c5283037693 and earlier does not escape several values that are parsed from TestNG report files and displayed on the plugin’s test information pages. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide a crafted TestNG report file. TestNG Results Plugin 730.732.v959a_3a_a_eb_a_72 escapes the affected values that are parsed from TestNG report files.

How to fix CVE-2023-32984

To remediate CVE-2023-32984, upgrade the affected package to a fixed version below.

—upgrade to 730.732.v959a or later

Is CVE-2023-32984 being exploited?

Moderate — EPSS is 17.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 730.732.v959a

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-32984
WEBgithub.com/jenkinsci/testng-plugin-plugin/commit/5f3d83ca56c0657fc09af7ea70cfbdd691adeaab
WEBwww.jenkins.io/security/advisory/2023-05-16/#SECURITY-3047