1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-3246

[JENKINS:SECURITY-3246] Stored XSS vulnerability in `github`

Severity High
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

github 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

github 1.37.3.1 escapes GitHub project URL on the build page when showing changes.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/github <= 1.37.3
pkg:github/jenkinsci/github-plugin <= 1.37.3
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/github = 1.37.3.1
pkg:github/jenkinsci/github-plugin = 1.37.3.1
ID
JENKINS:SECURITY-3246
Severity
high
Published
2023-10-25T00:00:00
(11 months ago)
Modified
2023-10-25T00:00:00
(11 months ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository github repository https://github.com/jenkinsci/github-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/github org.jenkins-ci.plugins github <= 1.37.3
Fixed pkg:maven/org.jenkins-ci.plugins/github org.jenkins-ci.plugins github = 1.37.3.1
Affected pkg:github/jenkinsci/github-plugin jenkinsci github-plugin <= 1.37.3
Fixed pkg:github/jenkinsci/github-plugin jenkinsci github-plugin = 1.37.3.1
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date