Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS12cXdnLTR2NmYtaDZ4Nc0ilw

Stored XSS vulnerability in Matrix Project Plugin

Jenkins Matrix Project Plugin prior to 1.20 and 1.18.1 does not escape HTML metacharacters in node and label names, and label descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

Matrix Project Plugin 1.20 and 1.18.1 escapes HTML metacharacters in node and label names, and label descriptions.

Permalink: https://github.com/advisories/GHSA-vqwg-4v6f-h6x5
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12cXdnLTR2NmYtaDZ4Nc0ilw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 4 months ago

CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-vqwg-4v6f-h6x5, CVE-2022-20615
References:

• https://nvd.nist.gov/vuln/detail/CVE-2022-20615
• https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2017
• http://www.openwall.com/lists/oss-security/2022/01/12/6
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://github.com/CVEProject/cvelist/blob/2d78eb36f4d084db7fb35f1535d8d84fdcb7d859/2022/20xxx/CVE-2022-20615.json
• https://github.com/jenkinsci/matrix-project-plugin/commit/78cc60556304965ffb2dd8c017bf61d4f153f5ea
• https://github.com/advisories/GHSA-vqwg-4v6f-h6x5

Repository: https://github.com/CVEProject/cvelist
Blast Radius: 1.0

Affected Packages