Primary

Context

Jenkins Coverage Plugin Stored Cross-Site Scripting Vulnerability

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in the Jenkins Coverage Plugin, specifically in versions through 2.3054.ve1ff7b_a_a_123b_. The vulnerability arises because the plugin does not properly validate coverage results IDs when creating coverage results, allowing attackers with Item/Configure permission to inject a 'javascript:' scheme URL as an identifier. This issue can be exploited by configuring the job through the REST API, bypassing the validation that occurs when submitting job configurations via the user interface.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Remediation

Users of the Jenkins Coverage Plugin should update to version 2.3056.v1dfe888b_0249, which includes the necessary validation for coverage results IDs. Instructions for updating can be found on the Jenkins Update Center.

Added: Dec 10, 2025, 5:19 PM

Updated: Dec 10, 2025, 8:39 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

1.7

exploitability

4.9

remediation

7.7

relevance

1.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

1.7

exploitability

4.9

remediation

7.7

relevance

1.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jenkins Coverage Plugin Stored Cross-Site Scripting Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Jenkins

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating