CVE-2023-43495
Description
Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the 'caption' constructor parameter of 'ExpandableDetailsNote', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control this parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins fails to escape the `caption` parameter of `ExpandableDetailsNote`, leading to stored XSS that attackers can exploit if they control this parameter.
Vulnerability
Overview
Jenkins 2.423 and earlier, and LTS 2.414.1 and earlier, do not escape the value of the caption constructor parameter of ExpandableDetailsNote. This class is used to annotate build log content with additional information that becomes visible when users interact with it. Because the caption value is not sanitized, a stored cross-site scripting (XSS) vulnerability exists [1][2].
Exploitation
Details
Attackers who can control the caption parameter of ExpandableDetailsNote can inject arbitrary HTML or JavaScript. As noted in the advisory, the related API is not used within Jenkins core at the time of publication, and the Jenkins security team is not aware of any affected plugins. However, any plugin or script that uses ExpandableDetailsNote with an attacker-influenced caption could trigger this vulnerability. No additional authentication is required beyond the ability to supply the caption value through a Jenkins interface or plugin [2][3].
Impact
Successful exploitation results in stored XSS, allowing an attacker to execute arbitrary JavaScript in the context of a victim's browser when they view the affected build log. This could lead to session hijacking, credential theft, or other malicious actions on behalf of the victim user. The CVSS severity is rated High [1][2].
Mitigation
Jenkins 2.424 and LTS 2.414.2 escape the caption constructor parameter values, fixing this vulnerability. Users should upgrade immediately to these or later versions. As of the advisory date, no workarounds are available, and the Jenkins security team recommends applying the update [2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | >= 2.50, < 2.414.2 | 2.414.2 |
org.jenkins-ci.main:jenkins-coreMaven | >= 2.415, < 2.424 | 2.424 |
Affected products
3- osv-coords2 versions
< 2.424.0+ 1 more
- (no CPE)range: < 2.424.0
- (no CPE)range: >= 2.50, < 2.414.2
- Jenkins Project/Jenkinsv5Range: 2.424
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-5j46-5hwq-gwh7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-43495ghsaADVISORY
- www.jenkins.io/security/advisory/2023-09-20/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/09/20/5ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-09-20Jenkins Security Advisories · Sep 20, 2023