Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13NDN4LTVmOGYtNjg2cM4AAlYY
Stored XSS vulnerability in multiple axis builds tooltips in Jenkins Matrix Project Plugin
Matrix Project Plugin 1.16 and earlier does not escape the axis names shown in tooltips on the overview page of builds with multiple axes. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission.
Matrix Project Plugin 1.17 escapes the axis names shown in these tooltips.
Permalink: https://github.com/advisories/GHSA-w43x-5f8f-686pJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13NDN4LTVmOGYtNjg2cM4AAlYY
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-w43x-5f8f-686p, CVE-2020-2225
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2225
- https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1925
- http://www.openwall.com/lists/oss-security/2020/07/15/5
- https://github.com/jenkinsci/matrix-project-plugin/commit/b5f22a43147360896442c4a7719446a864898cb4
- https://github.com/advisories/GHSA-w43x-5f8f-686p
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:matrix-project
Affected Version Ranges: <= 1.16Fixed in: 1.17