CVE-2023-43495
Jenkins Cross-site Scripting vulnerability
Description
`ExpandableDetailsNote` allows annotating build log content with additional information that can be revealed when interacted with. Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the `caption` constructor parameter of `ExpandableDetailsNote`. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide `caption` parameter values. As of publication, the related API is not used within Jenkins (core), and the Jenkins security team is not aware of any affected plugins. Jenkins 2.424, LTS 2.414.2 escapes `caption` constructor parameter values.
How to fix CVE-2023-43495
To remediate CVE-2023-43495, upgrade the affected package to a fixed version below.
- —upgrade to 2.424.0 or later
- —upgrade to 2.414.2 or later
Is CVE-2023-43495 being exploited?
Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.424.0
- >= 2.50, < 2.414.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.0 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |