CVE-2023-43499
Description
Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier does not escape Failure Cause names in build logs, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or update Failure Causes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier has a stored XSS vulnerability via unescaped Failure Cause names in build logs.
Vulnerability
Overview
The Jenkins Build Failure Analyzer Plugin versions 2.4.1 and earlier fail to escape Failure Cause names when they are displayed in build logs. This lack of output encoding allows an attacker to inject arbitrary HTML and JavaScript into the log output, leading to a stored cross-site scripting (XSS) vulnerability [1][2].
Exploitation
Prerequisites
An attacker must have the ability to create or update Failure Causes within Jenkins. This typically requires at least the Job/Configure permission or equivalent administrative access. Once a malicious Failure Cause name is saved, any user who views a build log containing that cause will execute the injected script in their browser session [2].
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the Jenkins web interface. This can lead to session hijacking, credential theft, or further compromise of the Jenkins instance and its connected systems [2].
Mitigation
The vulnerability is fixed in Build Failure Analyzer Plugin version 2.4.2 [3]. Users should upgrade immediately. No workarounds are available; the only remediation is to apply the updated plugin [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzerMaven | < 2.4.2 | 2.4.2 |
Affected products
2- Jenkins Project/Jenkins Build Failure Analyzer Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-262f-77q5-rqv6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-43499ghsaADVISORY
- www.jenkins.io/security/advisory/2023-09-20/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/09/20/5ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-09-20Jenkins Security Advisories · Sep 20, 2023