CVE-2023-27905: 
Java vulnerability analysis and mitigation

CVE-2023-27905 is a stored cross-site scripting (XSS) vulnerability in Jenkins update-center2 versions 3.13 and 3.14, discovered in January 2023. The vulnerability affects the tool used to generate Jenkins update sites hosted on updates.jenkins.io. The issue stems from improper sanitization of plugin metadata when rendering the required Jenkins core version on plugin download index pages (Jenkins Advisory).

The vulnerability occurs when update-center2 renders the required Jenkins core version on plugin download index pages without proper sanitization of plugin metadata. For the vulnerability to be exploitable in a self-hosted update-center2, two preconditions must be met: the generation of download pages needs to be enabled (via --download-links-directory argument), and a custom download page template must be used (--index-template-url argument) that doesn't prevent JavaScript execution through Content-Security-Policy. The vulnerability is rated with Medium severity (CVSS) (Jenkins Advisory, Aqua Blog).

When exploited, this vulnerability allows attackers who can provide a plugin for hosting to execute arbitrary JavaScript code through stored XSS. The vulnerability could potentially lead to code execution on the Jenkins server when chained with other vulnerabilities. The impact extends to self-hosted Jenkins servers and can affect systems even when they're not directly accessible over the internet (CERT-EU, Hacker News).

The vulnerability has been patched in update-center2 version 3.15, which filters out plugin releases with invalid Jenkins core dependencies. Administrators hosting their own update sites using update-center2 or a fork are advised to update to version 3.15 or integrate the commit 091ef999. The fix has been deployed to Jenkins community update sites on February 15, 2023 (Jenkins Advisory).