Jenkins Pipeline: Job Plugin 1292.v27d8cc3e2602 and earlier does not escape the display name of the build that caused an earlier build to be aborted, when "Do not allow concurrent builds" is set.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately.

The Jenkins security team is not aware of any plugins that allow the exploitation of this vulnerability, as the build name must be set before the build starts.
Pipeline: Job Plugin 1295.v395eb_7400005 escapes the display name of the build that caused an earlier build to be aborted.

Affected Packages

Maven org.jenkins-ci.plugins.workflow:workflow-job

Affected versions: 0 (fixed in 1295.v395eb)

Related CVEs

CVE-2023-32977

Key Information

GHSA ID

GHSA-2wvv-phhw-qvmc

Published

May 16, 2023 6:30 PM

Last Modified

May 17, 2023 2:58 AM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins.workflow:workflow-job

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.