Login Sign Up

CVE-2023-27898

9.6 CRITICAL
Cross-Site Scripting

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in Jenkins allows attackers to inject malicious scripts into error messages about plugin incompatibility. Attackers who can provide plugins to Jenkins update sites can exploit this to execute arbitrary JavaScript in users' browsers. Jenkins instances versions 2.270-2.393 and LTS 2.277.1-2.375.3 are affected.

💻 Affected Systems

Products:
  • Jenkins
Versions: 2.270 through 2.393 (inclusive), LTS 2.277.1 through 2.375.3 (inclusive)
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker ability to provide plugins to update sites; Jenkins instances using untrusted update sites are most vulnerable.

📦 What is this software?

Jenkins by Jenkins

View all CVEs affecting Jenkins →

Jenkins by Jenkins

View all CVEs affecting Jenkins →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, perform actions as authenticated users, or compromise the Jenkins server through subsequent attacks.

🟠

Likely Case

Attackers could hijack user sessions, steal sensitive data, or perform unauthorized actions within Jenkins.

🟢

If Mitigated

With proper plugin source controls and network segmentation, impact is limited to users viewing malicious error messages.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires ability to provide malicious plugins to update sites; attackers need to trigger the specific error message display.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Jenkins 2.394, LTS 2.375.4

Vendor Advisory: https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3037

Restart Required: Yes

Instructions:

1. Backup Jenkins configuration and data. 2. Upgrade to Jenkins 2.394 or LTS 2.375.4 or later. 3. Restart Jenkins service. 4. Verify upgrade completed successfully.

🔧 Temporary Workarounds

Restrict Plugin Sources

all

Only use trusted, official Jenkins update sites and disable untrusted plugin sources.

Configure Jenkins to only use https://updates.jenkins.io/update-center.json

Content Security Policy

all

Implement strict Content Security Policy headers to mitigate XSS impact.

🧯 If You Can't Patch

  • Implement network segmentation to isolate Jenkins from untrusted networks
  • Monitor and audit all plugin installations and update site configurations

🔍 How to Verify

Check if Vulnerable:

Check Jenkins version via Manage Jenkins > About Jenkins or via CLI

Check Version:

java -jar jenkins.war --version

Verify Fix Applied:

Verify version is 2.394+ or LTS 2.375.4+ and test that plugin incompatibility messages are properly escaped

📡 Detection & Monitoring

Log Indicators:

  • Unusual plugin installation attempts
  • Multiple plugin compatibility errors
  • Requests to unusual update sites

Network Indicators:

  • Outbound connections to non-standard update sites
  • Unexpected plugin downloads

SIEM Query:

source="jenkins.log" AND ("plugin incompatibility" OR "update site")

📊 Metadata

CVE ID: CVE-2023-27898
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-79
Published: March 10, 2023
Last Updated: February 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27898, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)