-
Story
-
Resolution: Done
-
Critical
-
None
-
None
-
None
-
EdgeX Foundry
Immediate Jenkins upgrade required to resolve security vulnerability
I'd suggest taking a snapshot of all plugins before doing the upgrade
CVE Details:
XSS vulnerability in plugin manager
SECURITY-3037 / CVE-2023-27898
Severity (CVSS): High
Description:
Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins in the plugin manager.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.
- blocks
-
RELENG-4619 Jenkins - Critical Security Upgrade - LTS 2.387.1
- Done