Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xZ2o0LXJjOG0tNDRtcc4AAlYS
Stored XSS vulnerability in Jenkins job build time trend
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability.
Jenkins 2.245, LTS 2.235.2 escapes the agent name.
Permalink: https://github.com/advisories/GHSA-qgj4-rc8m-44mqJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xZ2o0LXJjOG0tNDRtcc4AAlYS
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Percentage: 0.0005
EPSS Percentile: 0.21934
Identifiers: GHSA-qgj4-rc8m-44mq, CVE-2020-2220
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2220
- https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1868
- http://www.openwall.com/lists/oss-security/2020/07/15/5
- https://github.com/jenkinsci/jenkins/commit/b43531acee280dedc3ea454a2fc5a1a42990ddda
- https://github.com/advisories/GHSA-qgj4-rc8m-44mq
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: >= 2.236, <= 2.244, <= 2.235.1Fixed in: 2.245, 2.235.2