-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaJavaMiggo AIRoot Cause AnalysisThe patch introduced HTML escaping via URIUtil.htmlEscape() in both ErrorServlet.java and WinstoneResponse.java. The pre-patch code in these functions directly interpolated raw user-controlled error messages into HTML templates without sanitization. The vulnerability stems from the lack of escaping in these error-handling paths, which the commit explicitly addresses by adding the htmlEscape() calls. The affected functions are clearly identified in the diff, and their role in rendering error messages aligns with the XSS vulnerability description.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.main:jenkins-core | maven | < 1.409.3 | 1.409.3 |
| org.jenkins-ci.main:jenkins-core | maven | >= 1.410, < 1.438 | 1.438 |
Ongoing coverage of React2Shell