CVE-2023-43495: 
Java vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in Jenkins, identified as CVE-2023-43495. The vulnerability affects Jenkins versions 2.423 and earlier, as well as LTS 2.414.1 and earlier, where the 'caption' constructor parameter of 'ExpandableDetailsNote' is not properly escaped. This vulnerability was disclosed on September 20, 2023, and was assigned a High severity rating (Jenkins Advisory).

The vulnerability exists in the ExpandableDetailsNote feature, which is designed to annotate build log content with additional information that can be revealed through user interaction. The core issue stems from the improper escaping of the 'caption' constructor parameter values, leading to a stored XSS vulnerability. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

While the vulnerability is rated as High severity by Jenkins, it's important to note that as of the publication date, the affected API was not used within Jenkins core, and the Jenkins security team was not aware of any affected plugins. However, if exploited, attackers who can control the caption parameter values could potentially execute cross-site scripting attacks (Jenkins Advisory).

The vulnerability has been fixed in Jenkins 2.424 and Jenkins LTS 2.414.2, where the caption constructor parameter values are properly escaped. Users are advised to upgrade to these versions or later to address the vulnerability (Jenkins Advisory).