Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jZnZ3LTg0dnEtNDNteM4AAlX_

Stored XSS vulnerability in Jenkins Deployer Framework Plugin

Deployer Framework Plugin is a framework plugin allowing other plugins to provide a way to deploy artifacts. Deployer Framework Plugin 1.2 and earlier does not escape the URL displayed in the build home page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to provide the location.

The exploitability of this vulnerability depends on the specific implementation using Deployer Framework Plugin. The Jenkins security team is not aware of any exploitable implementation.

Deployer Framework Plugin 1.3 escapes the URL.

Permalink: https://github.com/advisories/GHSA-cfvw-84vq-43mx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jZnZ3LTg0dnEtNDNteM4AAlX_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 12 months ago


CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Identifiers: GHSA-cfvw-84vq-43mx, CVE-2020-2227
References: Repository: https://github.com/jenkinsci/deployer-framework-plugin
Blast Radius: 1.0

Affected Packages

maven:org.jenkins-ci.plugins:deployer-framework
Affected Version Ranges: <= 1.2
Fixed in: 1.3