CVE-2023-46650 — Stored XSS vulnerability in Jenkins GitHub Plugin

Description

Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. GitHub Plugin 1.37.3.1 escapes GitHub project URL on the build page when showing changes.

How to fix CVE-2023-46650

To remediate CVE-2023-46650, upgrade the affected package to a fixed version below.

—upgrade to 1.37.3.1 or later

Is CVE-2023-46650 being exploited?

Low — EPSS is 4.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.37.3.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-46650
PATCHgithub.com/jenkinsci/github-plugin
WEBgithub.com/jenkinsci/github-plugin/commit/9e09678c445613521c45acce0ce525160747ff3e
WEBwww.jenkins.io/security/advisory/2023-10-25/#SECURITY-3246