1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-3140

[JENKINS:SECURITY-3140] HTML injection vulnerability in `fortify`

Severity Medium
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

fortify 22.1.38 and earlier does not escape the error message for a form validation method.
This results in an HTML injection vulnerability.

NOTE: Since Jenkins 2.275 and LTS 2.263.2, a link:/doc/upgrade-guide/2.263/#formvalidation[security hardening] for form validation responses prevents JavaScript execution, so no scripts can be injected.

fortify 22.2.39 removes HTML tags from the error message.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/fortify <= 22.1.38
pkg:github/jenkinsci/fortify-plugin <= 22.1.38
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/fortify = 22.2.39
pkg:github/jenkinsci/fortify-plugin = 22.2.39
ID
JENKINS:SECURITY-3140
Severity
medium
Published
2023-08-16T00:00:00
(13 months ago)
Modified
2023-08-16T00:00:00
(13 months ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository fortify repository https://github.com/jenkinsci/fortify-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/fortify org.jenkins-ci.plugins fortify <= 22.1.38
Fixed pkg:maven/org.jenkins-ci.plugins/fortify org.jenkins-ci.plugins fortify = 22.2.39
Affected pkg:github/jenkinsci/fortify-plugin jenkinsci fortify-plugin <= 22.1.38
Fixed pkg:github/jenkinsci/fortify-plugin jenkinsci fortify-plugin = 22.2.39
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date