High severityNVD Advisory· Published Mar 8, 2023· Updated Feb 28, 2025
CVE-2023-27898
CVE-2023-27898
Description
Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | >= 2.376, < 2.394 | 2.394 |
org.jenkins-ci.main:jenkins-coreMaven | < 2.375.4 | 2.375.4 |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/jenkinspkg:apk/chainguard/jenkins-compatpkg:apk/chainguard/jenkins-remotingpkg:apk/wolfi/jenkinspkg:apk/wolfi/jenkins-compatpkg:apk/wolfi/jenkins-remotingpkg:bitnami/jenkinspkg:maven/org.jenkins-ci.main/jenkins-core
< 2.395-r0+ 7 more
- (no CPE)range: < 2.395-r0
- (no CPE)range: < 2.395-r0
- (no CPE)range: < 2.395-r0
- (no CPE)range: < 2.395-r0
- (no CPE)range: < 2.395-r0
- (no CPE)range: < 2.395-r0
- (no CPE)range: >= 2.270.0, < 2.394.0
- (no CPE)range: >= 2.376, < 2.394
- Range: 2.270
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-j664-qhh4-hpf8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-27898ghsaADVISORY
- www.jenkins.io/security/advisory/2023-03-08/ghsavendor-advisoryWEB
- github.com/jenkinsci/jenkins/commit/59ac866d9946d7c296023da0ea78baafd4cf71ebghsaWEB
News mentions
1- Jenkins Security Advisory 2023-03-08Jenkins Security Advisories · Mar 8, 2023