CVE-2023-39151: 
Java vulnerability analysis and mitigation

Jenkins 2.415 and earlier, LTS 2.401.2 and earlier contains a stored cross-site scripting (XSS) vulnerability (CVE-2023-39151) discovered in July 2023. The vulnerability exists in the build log functionality where the application fails to properly sanitize or encode URLs when transforming them into hyperlinks (Jenkins Advisory).

The vulnerability stems from Jenkins' feature that automatically transforms plain URLs into hyperlinks in build logs. The application does not properly sanitize or encode these URLs during the transformation process, leading to a stored XSS condition. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is tracked as SECURITY-3188 internally by Jenkins (NVD).

This vulnerability allows attackers who can control build log contents to execute malicious scripts in the context of other users' browsers when they view the affected build logs. The stored XSS nature of the vulnerability means the malicious payload persists in the application and can affect multiple users over time (Jenkins Advisory).

The vulnerability has been fixed in Jenkins 2.416, LTS 2.401.3, and LTS 2.414.1. The fix involves properly encoding URLs of affected hyperlink annotations in build logs. Users are advised to upgrade to these or later versions to address the vulnerability (Jenkins Advisory).

The vulnerability was discovered and reported by Kevin Guerroudj and Devin Nusbaum from CloudBees, Inc. The Jenkins security team has classified this as a High severity issue, demonstrating the significant impact potential of this vulnerability (Jenkins Advisory).