1. Home
  2. CVE Database
  3. CVE-2023-27898
CRITICAL · 9.6

CVE-2023-27898

Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompat...

Vulnerability Description

Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.

CVSS Score

9.6

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
JenkinsJenkins>= 2.270, < 2.394

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2023-27898?

CVE-2023-27898 is a vulnerability with a CVSS score of 9.6 (CRITICAL). Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompat...

How severe is CVE-2023-27898?

CVE-2023-27898 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2023-27898?

Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Jenkins.