CVE-2023-46650: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

October 25, 2023 (updated November 1, 2023)

Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

References

www.openwall.com/lists/oss-security/2023/10/25/2
github.com/advisories/GHSA-mv77-fj63-q5w8
github.com/jenkinsci/github-plugin/commit/9e09678c445613521c45acce0ce525160747ff3e
nvd.nist.gov/vuln/detail/CVE-2023-46650
www.jenkins.io/security/advisory/2023-10-25/

Code Behaviors & Features

Detect and mitigate CVE-2023-46650 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →