Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mdndoLXd2NDMtOHFqNc4AAl8d
Stored XSS vulnerability in Validating String Parameter Plugin
Validating String Parameter Plugin 2.4 and earlier does not escape regular expressions in tooltips. Additionally, Validating String Parameter Plugin 2.4 does not escape parameter names and parameter descriptions.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Validating String Parameter Plugin 2.5 escapes regular expressions in tooltips and parameter names. Parameter descriptions are rendered using the configured markup formatter.
Permalink: https://github.com/advisories/GHSA-fvwh-wv43-8qj5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mdndoLXd2NDMtOHFqNc4AAl8d
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 12 months ago
CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-fvwh-wv43-8qj5, CVE-2020-2257
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2257
- https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1935
- http://www.openwall.com/lists/oss-security/2020/09/16/3
- https://github.com/jenkinsci/validating-string-parameter-plugin/commit/345a79d830a5fcd824a3c755506a438c78c48117
- https://github.com/advisories/GHSA-fvwh-wv43-8qj5
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:validating-string-parameter
Affected Version Ranges: <= 2.4Fixed in: 2.5