{"id":"CVE-2023-27898","details":"Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.","aliases":["BIT-jenkins-2023-27898","GHSA-j664-qhh4-hpf8"],"modified":"2026-04-10T04:56:47.451298Z","published":"2023-03-10T21:15:15.403Z","related":["CGA-prff-7q98-2598"],"references":[{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3037"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/jenkins","events":[{"introduced":"ccd7bc3c3f436dbe8a4b382110725b3ebe220dfc"},{"fixed":"2fe98001f3ab22c36fe3911253a1e7be658222c4"},{"introduced":"a22f822b74a28d4100a6cf402df0855d7c92d1a3"},{"fixed":"721f445841ca8c6f29cb314e2dedddf0949461ed"}],"database_specific":{"versions":[{"introduced":"2.270"},{"fixed":"2.394"},{"introduced":"2.277.1"},{"fixed":"2.375.4"}]}}],"versions":["jenkins-2.270","jenkins-2.271","jenkins-2.272","jenkins-2.273","jenkins-2.274","jenkins-2.276","jenkins-2.277","jenkins-2.278","jenkins-2.279","jenkins-2.280","jenkins-2.281","jenkins-2.282","jenkins-2.283","jenkins-2.284","jenkins-2.285","jenkins-2.286","jenkins-2.287","jenkins-2.288","jenkins-2.289","jenkins-2.290","jenkins-2.291","jenkins-2.292","jenkins-2.293","jenkins-2.294","jenkins-2.295","jenkins-2.296","jenkins-2.297","jenkins-2.298","jenkins-2.299","jenkins-2.301","jenkins-2.302","jenkins-2.303","jenkins-2.304","jenkins-2.305","jenkins-2.306","jenkins-2.307","jenkins-2.308","jenkins-2.309","jenkins-2.310","jenkins-2.311","jenkins-2.312","jenkins-2.313","jenkins-2.314","jenkins-2.316","jenkins-2.317","jenkins-2.318","jenkins-2.319","jenkins-2.320","jenkins-2.321","jenkins-2.322","jenkins-2.323","jenkins-2.324","jenkins-2.325","jenkins-2.326","jenkins-2.327","jenkins-2.328","jenkins-2.329","jenkins-2.330","jenkins-2.331","jenkins-2.332","jenkins-2.333","jenkins-2.334","jenkins-2.335","jenkins-2.336","jenkins-2.337","jenkins-2.338","jenkins-2.339","jenkins-2.340","jenkins-2.341","jenkins-2.342","jenkins-2.343","jenkins-2.344","jenkins-2.345","jenkins-2.346","jenkins-2.347","jenkins-2.348","jenkins-2.349","jenkins-2.350","jenkins-2.351","jenkins-2.352","jenkins-2.353","jenkins-2.354","jenkins-2.355","jenkins-2.356","jenkins-2.357","jenkins-2.358","jenkins-2.359","jenkins-2.360","jenkins-2.361","jenkins-2.362","jenkins-2.363","jenkins-2.364","jenkins-2.365","jenkins-2.366","jenkins-2.367","jenkins-2.368","jenkins-2.369","jenkins-2.371","jenkins-2.372","jenkins-2.373","jenkins-2.374","jenkins-2.375","jenkins-2.375.1","jenkins-2.375.1-rc","jenkins-2.375.2","jenkins-2.375.2-rc","jenkins-2.375.3","jenkins-2.375.3-rc","jenkins-2.376","jenkins-2.377","jenkins-2.378","jenkins-2.379","jenkins-2.380","jenkins-2.381","jenkins-2.382","jenkins-2.383","jenkins-2.384","jenkins-2.385","jenkins-2.386","jenkins-2.387","jenkins-2.388","jenkins-2.389","jenkins-2.390","jenkins-2.391","jenkins-2.392","jenkins-2.393"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-27898.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}]}