Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.
oryginał ENCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HJenkins
APPJenkins2.270 – 2.394 (bez)2.277.1 – 2.375.4 (bez)
Powiązane podatności
Jenkins CLI – odczyt dowolnych plików przez path traversal bez uwierzytelnienia
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.13...
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remot...
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent ...
Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create symboli...