Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xODdnLTdtcDUtNzY1cc4AAk08
Improper Neutralization of Input During Web Page Generation in Jenkins Script Security Plugin
Jenkins Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page, resulting in a stored cross-site scripting vulnerability.
Permalink: https://github.com/advisories/GHSA-q87g-7mp5-765qJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xODdnLTdtcDUtNzY1cc4AAk08
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Percentage: 0.0005
EPSS Percentile: 0.21934
Identifiers: GHSA-q87g-7mp5-765q, CVE-2020-2190
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2190
- https://jenkins.io/security/advisory/2020-06-03/#SECURITY-1866
- http://www.openwall.com/lists/oss-security/2020/06/03/3
- https://github.com/jenkinsci/script-security-plugin/commit/99e6ac0df5fe0f0cc6c2a695f7c1f845279bedbd
- https://github.com/advisories/GHSA-q87g-7mp5-765q
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:script-security
Affected Version Ranges: <= 1.72Fixed in: 1.73