Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wNWpoLThyeHAtd3Fqas4AAlyD
XSS vulnerability in Jenkins Build Failure Analyzer Plugin
Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications.
Build Failure Analyzer Plugin 1.27.1 escapes matching text in the affected form validation response.
Permalink: https://github.com/advisories/GHSA-p5jh-8rxp-wqjjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wNWpoLThyeHAtd3Fqas4AAlyD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 5 months ago
CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-p5jh-8rxp-wqjj, CVE-2020-2244
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2244
- https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1770
- http://www.openwall.com/lists/oss-security/2020/09/01/3
- https://github.com/jenkinsci/build-failure-analyzer-plugin/commit/c974938f213df0109269cb1b4508b8a1ec19f0ff
- https://github.com/advisories/GHSA-p5jh-8rxp-wqjj
Blast Radius: 1.0
Affected Packages
maven:com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzer
Affected Version Ranges: <= 1.27.0Fixed in: 1.27.1