CVE-2023-39151
Jenkins Stored Cross-site Scripting vulnerability
8.0
HIGH
CVSS 3.1
EPSS 2.1%
Description
Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks. Jenkins 2.415 and earlier, 2.414 and earlier, and LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents. Jenkins 2.416, 2.414.1, and LTS 2.401.3 encodes URLs of affected hyperlink annotations in build logs.
How to fix CVE-2023-39151
To remediate CVE-2023-39151, upgrade the affected package to a fixed version below.
- —upgrade to 2.415.1 or later
- —upgrade to 2.414.1 or later
Is CVE-2023-39151 being exploited?
Low — EPSS is 2.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.415.1
- >= 2.402, < 2.414.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.0 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |