Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks. Jenkins 2.415 and earlier, 2.414 and earlier, and LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents. Jenkins 2.416, 2.414.1, and LTS 2.401.3 encodes URLs of affected hyperlink annotations in build logs.

Affected Packages

Maven org.jenkins-ci.main:jenkins-core

Affected versions: 2.402 (fixed in 2.414.1)

Maven org.jenkins-ci.main:jenkins-core

Affected versions: 0 (fixed in 2.401.3)

Maven org.jenkins-ci.main:jenkins-core

Affected versions: 2.415 (fixed in 2.416)

Related CVEs

CVE-2023-39151

Key Information

GHSA ID

GHSA-69vw-3pcm-84rw

Published

July 26, 2023 3:30 PM

Last Modified

August 21, 2023 5:22 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.main:jenkins-core

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.