Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ocTJoLTltYzMtaDZ3Ms4AAl8v
Stored XSS vulnerability in Pipeline Maven Integration Plugin via unescaped display name
Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job’s display name shown as part of a build cause.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Pipeline Maven Integration Plugin 3.9.3 escapes upstream job names in build causes.
Permalink: https://github.com/advisories/GHSA-hq2h-9mc3-h6w2JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ocTJoLTltYzMtaDZ3Ms4AAl8v
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 12 months ago
CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00054
EPSS Percentile: 0.23527
Identifiers: GHSA-hq2h-9mc3-h6w2, CVE-2020-2256
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2256
- https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1976
- http://www.openwall.com/lists/oss-security/2020/09/16/3
- https://github.com/jenkinsci/pipeline-maven-plugin/commit/78b8e6d49bffcc6b65064a882c03a2b4bb157230
- https://github.com/advisories/GHSA-hq2h-9mc3-h6w2
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:pipeline-maven
Affected Version Ranges: <= 3.9.2Fixed in: 3.9.3