Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yamNoLWo1eDktZmdwaM4AAmLA
Stored XSS vulnerability in Jenkins Active Choices Plugin
Jenkins Active Choices Plugin 2.4 and earlier does not escape List
and Map
return values of sandboxed scripts for Reactive Reference Parameters.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
This issue is caused by an incomplete fix for SECURITY-470.
Active Choices Plugin 2.5 escapes all legal return values of sandboxed scripts.
Permalink: https://github.com/advisories/GHSA-rjch-j5x9-fgphJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yamNoLWo1eDktZmdwaM4AAmLA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-rjch-j5x9-fgph, CVE-2020-2290
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2290
- https://www.jenkins.io/security/advisory/2020-10-08/#SECURITY-2008
- http://www.openwall.com/lists/oss-security/2020/10/08/5
- https://github.com/jenkinsci/active-choices-plugin/commit/15e3e01929a687965f44d9d06cd2d870628a54dc
- https://github.com/advisories/GHSA-rjch-j5x9-fgph
Blast Radius: 1.0
Affected Packages
maven:org.biouno:uno-choice
Affected Version Ranges: < 2.5Fixed in: 2.5