Vulnerability Details CVE-2023-27898
Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.009
EPSS Ranking 74.1%
CVSS Severity
CVSS v3 Score 9.6
References
Products affected by CVE-2023-27898
-
cpe:2.3:a:jenkins:jenkins:2.270
-
cpe:2.3:a:jenkins:jenkins:2.274
-
cpe:2.3:a:jenkins:jenkins:2.276
-
cpe:2.3:a:jenkins:jenkins:2.277.1
-
cpe:2.3:a:jenkins:jenkins:2.277.2
-
cpe:2.3:a:jenkins:jenkins:2.277.3
-
cpe:2.3:a:jenkins:jenkins:2.277.4
-
cpe:2.3:a:jenkins:jenkins:2.289.1
-
cpe:2.3:a:jenkins:jenkins:2.289.2
-
cpe:2.3:a:jenkins:jenkins:2.289.3
-
cpe:2.3:a:jenkins:jenkins:2.299
-
cpe:2.3:a:jenkins:jenkins:2.300
-
cpe:2.3:a:jenkins:jenkins:2.303
-
cpe:2.3:a:jenkins:jenkins:2.303.1
-
cpe:2.3:a:jenkins:jenkins:2.303.2
-
cpe:2.3:a:jenkins:jenkins:2.303.3
-
cpe:2.3:a:jenkins:jenkins:2.318
-
cpe:2.3:a:jenkins:jenkins:2.319
-
cpe:2.3:a:jenkins:jenkins:2.319.1
-
cpe:2.3:a:jenkins:jenkins:2.319.2
-
cpe:2.3:a:jenkins:jenkins:2.319.3
-
cpe:2.3:a:jenkins:jenkins:2.333
-
cpe:2.3:a:jenkins:jenkins:2.334
-
cpe:2.3:a:jenkins:jenkins:2.375.3
-
cpe:2.3:a:jenkins:jenkins:2.393