Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oNnFjLTQ1NW0tN3Y2ds4AAlYa
Stored XSS vulnerability in single axis builds tooltips in Jenkins Matrix Project Plugin
Matrix Project Plugin 1.16 and earlier does not escape node names shown in tooltips on the overview page of builds with a single axis. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Agent/Configure permission.
Matrix Project Plugin 1.17 escapes the node names shown in these tooltips.
Permalink: https://github.com/advisories/GHSA-h6qc-455m-7v6vJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oNnFjLTQ1NW0tN3Y2ds4AAlYa
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 5 months ago
CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-h6qc-455m-7v6v, CVE-2020-2224
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2224
- https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1924
- http://www.openwall.com/lists/oss-security/2020/07/15/5
- https://github.com/jenkinsci/matrix-project-plugin/commit/b5f22a43147360896442c4a7719446a864898cb4
- https://github.com/advisories/GHSA-h6qc-455m-7v6v
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:matrix-project
Affected Version Ranges: <= 1.16Fixed in: 1.17