Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1odm1jLTdnMngtcjNwOc4AAllE
Jenkins Cross-Site Scripting vulnerability in help icons
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values.
This results in a stored cross-site scripting (XSS) vulnerability.
Jenkins 2.252, LTS 2.235.4 escapes the tooltip content of help icons.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1odm1jLTdnMngtcjNwOc4AAllE
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 8.0
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-hvmc-7g2x-r3p9, CVE-2020-2229
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2229
- https://jenkins.io/security/advisory/2020-08-12/#SECURITY-1955
- http://packetstormsecurity.com/files/160443/Jenkins-2.235.3-Cross-Site-Scripting.html
- http://www.openwall.com/lists/oss-security/2020/08/12/4
- https://github.com/jenkinsci/jenkins/commit/fe4cbe03804d6240d0b58d0b2301ea9530a34916
- https://github.com/advisories/GHSA-hvmc-7g2x-r3p9
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: >= 2.236, <= 2.251, <= 2.235.3Fixed in: 2.252, 2.235.4