CVE-2023-27898: 
Java vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in Jenkins versions 2.270 through 2.393 and LTS 2.277.1 through 2.375.3. The vulnerability (CVE-2023-27898) exists because Jenkins does not escape the Jenkins version a plugin depends on when rendering error messages about plugin incompatibility in the plugin manager. This vulnerability was discovered and reported by Ilay Goldman and Yakir Kadkoda from Aqua Security (Jenkins Advisory).

The vulnerability occurs in the plugin manager when rendering error messages about plugin incompatibility with the current Jenkins version. The issue stems from insufficient sanitization of plugin version dependencies, which allows for stored XSS attacks. The vulnerability has been assigned a High severity CVSS rating. Exploitation does not require the manipulated plugin to be installed, but requires attackers to be able to provide plugins to the configured update sites and have the error message shown by Jenkins instances (Jenkins Advisory).

The vulnerability allows attackers who can provide plugins to configured update sites to execute arbitrary JavaScript code in the context of users viewing the plugin manager. However, due to how Jenkins community update sites serve plugin metadata based on reported Jenkins core versions, it is unlikely that reasonably up-to-date Jenkins instances would show the vulnerable error message (Jenkins Advisory).

The vulnerability has been fixed in Jenkins 2.394, LTS 2.375.4, and LTS 2.387.1, which properly escape the Jenkins version when rendering plugin incompatibility error messages. Additionally, Jenkins community update sites no longer publish plugin releases with invalid Jenkins core dependencies since 2023-02-15, preventing exploitation through official update sites even on older Jenkins versions (Jenkins Advisory).