Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nOHBnLXFydm0td2doMs4AAkDM
Improper Neutralization of Input During Web Page Generation in Jenkins
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.
Permalink: https://github.com/advisories/GHSA-g8pg-qrvm-wgh2JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nOHBnLXFydm0td2doMs4AAkDM
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 11 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-g8pg-qrvm-wgh2, CVE-2020-2161
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2161
- https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1781
- http://www.openwall.com/lists/oss-security/2020/03/25/2
- https://github.com/jenkinsci/jenkins/commit/dbff6fdcf8c4bc00729ace66c33208ae7aa18ac0
- https://github.com/advisories/GHSA-g8pg-qrvm-wgh2
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: > 2.222.1, <= 2.227, <= 2.204.5Fixed in: 2.228, 2.204.6