Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12cXdnLTR2NmYtaDZ4Nc0ilw
Stored XSS vulnerability in Matrix Project Plugin
Jenkins Matrix Project Plugin prior to 1.20 and 1.18.1 does not escape HTML metacharacters in node and label names, and label descriptions.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
Matrix Project Plugin 1.20 and 1.18.1 escapes HTML metacharacters in node and label names, and label descriptions.
Permalink: https://github.com/advisories/GHSA-vqwg-4v6f-h6x5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12cXdnLTR2NmYtaDZ4Nc0ilw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 4 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-vqwg-4v6f-h6x5, CVE-2022-20615
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-20615
- https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2017
- http://www.openwall.com/lists/oss-security/2022/01/12/6
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/CVEProject/cvelist/blob/2d78eb36f4d084db7fb35f1535d8d84fdcb7d859/2022/20xxx/CVE-2022-20615.json
- https://github.com/jenkinsci/matrix-project-plugin/commit/78cc60556304965ffb2dd8c017bf61d4f153f5ea
- https://github.com/advisories/GHSA-vqwg-4v6f-h6x5
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:matrix-project
Affected Version Ranges: < 1.18.1, = 1.19Fixed in: 1.18.1, 1.20