Cross-site Scripting in Jenkins Pipeline: Build Step Plugin
Moderate severity
GitHub Reviewed
Published
Feb 15, 2023
to the GitHub Advisory Database
•
Updated Jan 4, 2024
Package
Affected versions
<= 2.18
Patched versions
2.18.1
Description
Published by the National Vulnerability Database
Feb 15, 2023
Published to the GitHub Advisory Database
Feb 15, 2023
Reviewed
Feb 15, 2023
Last updated
Jan 4, 2024
Jenkins Pipeline: Build Step Plugin 2.18 and earlier does not escape job names in a JavaScript expression used in the Pipeline Snippet Generator, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control job names.
References