Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05ZzRtLWZmeDYtYzI5Z84AAllI
Jenkins Cross-site Scripting vulnerability in project naming strategy
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, that is displayed on item creation.\n\nThis results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.\n\nJenkins 2.252, LTS 2.235.4 escapes the project naming strategy description.
Permalink: https://github.com/advisories/GHSA-9g4m-ffx6-c29gJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05ZzRtLWZmeDYtYzI5Z84AAllI
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 8.0
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-9g4m-ffx6-c29g, CVE-2020-2230
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2230
- https://jenkins.io/security/advisory/2020-08-12/#SECURITY-1957
- http://packetstormsecurity.com/files/160443/Jenkins-2.235.3-Cross-Site-Scripting.html
- http://www.openwall.com/lists/oss-security/2020/08/12/4
- https://github.com/jenkinsci/jenkins/commit/e49f690939596acbc9a1be64128b2c7eaf91a6db
- https://github.com/advisories/GHSA-9g4m-ffx6-c29g
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: >= 2.236, <= 2.251, <= 2.235.3Fixed in: 2.252, 2.235.4