Vulnerability-Lookup

CVE-2020-2244 (GCVE-0-2020-2244)

Vulnerability from cvelistv5 – Published: 2020-09-01 13:50 – Updated: 2024-08-04 07:01

Summary

Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications.

Severity

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Assigner

jenkins

References

2 references

URL	Tags
https://jenkins.io/security/advisory/2020-09-01/#…	x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2020/09/01/3	mailing-listx_refsource_MLIST

Impacted products

1 product

Vendor	Product	Version
Jenkins project	Jenkins Build Failure Analyzer Plugin	Affected: unspecified , ≤ 1.27.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T07:01:41.168Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1770"
          },
          {
            "name": "[oss-security] 20200901 Multiple vulnerabilities in Jenkins plugins",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2020/09/01/3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins Build Failure Analyzer Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "lessThanOrEqual": "1.27.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T16:07:44.347Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1770"
        },
        {
          "name": "[oss-security] 20200901 Multiple vulnerabilities in Jenkins plugins",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2020/09/01/3"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2020-2244",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jenkins Build Failure Analyzer Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "1.27.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Jenkins project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1770",
              "refsource": "CONFIRM",
              "url": "https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1770"
            },
            {
              "name": "[oss-security] 20200901 Multiple vulnerabilities in Jenkins plugins",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2020/09/01/3"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2020-2244",
    "datePublished": "2020-09-01T13:50:32.000Z",
    "dateReserved": "2019-12-05T00:00:00.000Z",
    "dateUpdated": "2024-08-04T07:01:41.168Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2020-2244",
      "date": "2026-06-23",
      "epss": "0.00753",
      "percentile": "0.50234"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:jenkins:build_failure_analyzer:*:*:*:*:*:jenkins:*:*\", \"versionEndIncluding\": \"1.27.0\", \"matchCriteriaId\": \"B30DC203-B81D-48E4-BFBD-DDC1E96E45A9\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications.\"}, {\"lang\": \"es\", \"value\": \"Jenkins Build Failure Analyzer Plugin versiones 1.27.0 y anteriores, no escapan el texto coincidente en una respuesta de comprobaci\\u00f3n de formulario, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) explotable por parte de atacantes capaces de proporcionar una salida de la consola para compilaciones usadas al probar indicaciones de registro de compilaci\\u00f3n\"}]",
      "id": "CVE-2020-2244",
      "lastModified": "2024-11-21T05:25:04.370",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:N/I:P/A:N\", \"baseScore\": 3.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 6.8, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2020-09-01T14:15:12.987",
      "references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2020/09/01/3\", \"source\": \"jenkinsci-cert@googlegroups.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1770\", \"source\": \"jenkinsci-cert@googlegroups.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2020/09/01/3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1770\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-2244\",\"sourceIdentifier\":\"jenkinsci-cert@googlegroups.com\",\"published\":\"2020-09-01T14:15:12.987\",\"lastModified\":\"2024-11-21T05:25:04.370\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications.\"},{\"lang\":\"es\",\"value\":\"Jenkins Build Failure Analyzer Plugin versiones 1.27.0 y anteriores, no escapan el texto coincidente en una respuesta de comprobaci\u00f3n de formulario, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) explotable por parte de atacantes capaces de proporcionar una salida de la consola para compilaciones usadas al probar indicaciones de registro de compilaci\u00f3n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:build_failure_analyzer:*:*:*:*:*:jenkins:*:*\",\"versionEndIncluding\":\"1.27.0\",\"matchCriteriaId\":\"B30DC203-B81D-48E4-BFBD-DDC1E96E45A9\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2020/09/01/3\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1770\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2020/09/01/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1770\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

CNVD-2020-50957

Vulnerability from cnvd - Published: 2020-09-09

Title

CloudBees Jenkins XSS漏洞（CNVD-2020-50957）

Description

CloudBees Jenkins（Hudson Labs）是美国CloudBees公司的一套基于Java开发的持续集成工具。该产品主要用于监控持续的软件版本发布/测试项目和一些定时执行的任务。 Jenkins Build Failure Analyzer Plugin 1.27.0及之前版本存在XSS漏洞，该漏洞源于WEB应用缺少对客户端数据的正确验证，攻击者可利用该漏洞执行客户端代码。

Severity

低

Patch Name

CloudBees Jenkins XSS漏洞（CNVD-2020-50957）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://vigilance.fr/vulnerabilite/Jenkins-Plugins-multiples-vulnerabilites-33205

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-2244

Impacted products

Name
CloudBees Jenkins Build Failure Analyzer Plugin <=1.27.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-2244",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-2244"
    }
  },
  "description": "CloudBees Jenkins\uff08Hudson Labs\uff09\u662f\u7f8e\u56fdCloudBees\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eJava\u5f00\u53d1\u7684\u6301\u7eed\u96c6\u6210\u5de5\u5177\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u7528\u4e8e\u76d1\u63a7\u6301\u7eed\u7684\u8f6f\u4ef6\u7248\u672c\u53d1\u5e03/\u6d4b\u8bd5\u9879\u76ee\u548c\u4e00\u4e9b\u5b9a\u65f6\u6267\u884c\u7684\u4efb\u52a1\u3002\n\nJenkins Build Failure Analyzer Plugin 1.27.0\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728XSS\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eWEB\u5e94\u7528\u7f3a\u5c11\u5bf9\u5ba2\u6237\u7aef\u6570\u636e\u7684\u6b63\u786e\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://vigilance.fr/vulnerabilite/Jenkins-Plugins-multiples-vulnerabilites-33205",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-50957",
  "openTime": "2020-09-09",
  "patchDescription": "CloudBees Jenkins\uff08Hudson Labs\uff09\u662f\u7f8e\u56fdCloudBees\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eJava\u5f00\u53d1\u7684\u6301\u7eed\u96c6\u6210\u5de5\u5177\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u7528\u4e8e\u76d1\u63a7\u6301\u7eed\u7684\u8f6f\u4ef6\u7248\u672c\u53d1\u5e03/\u6d4b\u8bd5\u9879\u76ee\u548c\u4e00\u4e9b\u5b9a\u65f6\u6267\u884c\u7684\u4efb\u52a1\u3002\r\n\r\nJenkins Build Failure Analyzer Plugin 1.27.0\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728XSS\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eWEB\u5e94\u7528\u7f3a\u5c11\u5bf9\u5ba2\u6237\u7aef\u6570\u636e\u7684\u6b63\u786e\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "CloudBees Jenkins XSS\u6f0f\u6d1e\uff08CNVD-2020-50957\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "CloudBees Jenkins Build Failure Analyzer Plugin \u003c=1.27.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-2244",
  "serverity": "\u4f4e",
  "submitTime": "2020-09-08",
  "title": "CloudBees Jenkins XSS\u6f0f\u6d1e\uff08CNVD-2020-50957\uff09"
}

FKIE_CVE-2020-2244

Vulnerability from fkie_nvd - Published: 2020-09-01 14:15 - Updated: 2026-06-17 03:12

Severity

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
jenkinsci-cert@googlegroups.com	http://www.openwall.com/lists/oss-security/2020/09/01/3	Mailing List, Third Party Advisory
jenkinsci-cert@googlegroups.com	https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1770	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2020/09/01/3	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1770	Vendor Advisory

Impacted products

	Vendor	Product	Version
	jenkins	build_failure_analyzer	*

JSON

To clipboard

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "Jenkins Build Failure Analyzer Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "lessThanOrEqual": "1.27.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "source": "jenkinsci-cert@googlegroups.com"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jenkins:build_failure_analyzer:*:*:*:*:*:jenkins:*:*",
              "matchCriteriaId": "B30DC203-B81D-48E4-BFBD-DDC1E96E45A9",
              "versionEndIncluding": "1.27.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications."
    },
    {
      "lang": "es",
      "value": "Jenkins Build Failure Analyzer Plugin versiones 1.27.0 y anteriores, no escapan el texto coincidente en una respuesta de comprobaci\u00f3n de formulario, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) explotable por parte de atacantes capaces de proporcionar una salida de la consola para compilaciones usadas al probar indicaciones de registro de compilaci\u00f3n"
    }
  ],
  "id": "CVE-2020-2244",
  "lastModified": "2026-06-17T03:12:03.773",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-09-01T14:15:12.987",
  "references": [
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2020/09/01/3"
    },
    {
      "source": "jenkinsci-cert@googlegroups.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1770"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2020/09/01/3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1770"
    }
  ],
  "sourceIdentifier": "jenkinsci-cert@googlegroups.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-P5JH-8RXP-WQJJ

Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2022-12-20 22:38

Summary

XSS vulnerability in Jenkins Build Failure Analyzer Plugin

Details

Build Failure Analyzer Plugin 1.27.1 escapes matching text in the affected form validation response.

Severity

8.0 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.27.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.27.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2244"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-20T22:38:03Z",
    "nvd_published_at": "2020-09-01T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications.\n\nBuild Failure Analyzer Plugin 1.27.1 escapes matching text in the affected form validation response.",
  "id": "GHSA-p5jh-8rxp-wqjj",
  "modified": "2022-12-20T22:38:03Z",
  "published": "2022-05-24T17:27:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2244"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/build-failure-analyzer-plugin/commit/c974938f213df0109269cb1b4508b8a1ec19f0ff"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/build-failure-analyzer-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1770"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/09/01/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XSS vulnerability in Jenkins Build Failure Analyzer Plugin"
}

GSD-2020-2244

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2020-2244

Aliases

CVE-2020-2244

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-2244",
    "description": "Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications.",
    "id": "GSD-2020-2244",
    "references": [
      "https://www.suse.com/security/cve/CVE-2020-2244.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-2244"
      ],
      "details": "Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications.",
      "id": "GSD-2020-2244",
      "modified": "2023-12-13T01:21:50.773337Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "jenkinsci-cert@googlegroups.com",
        "ID": "CVE-2020-2244",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Jenkins Build Failure Analyzer Plugin",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_name": "unspecified",
                          "version_value": "1.27.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Jenkins project"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1770",
            "refsource": "MISC",
            "url": "https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1770"
          },
          {
            "name": "http://www.openwall.com/lists/oss-security/2020/09/01/3",
            "refsource": "MISC",
            "url": "http://www.openwall.com/lists/oss-security/2020/09/01/3"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,1.27.0]",
          "affected_versions": "All versions up to 1.27.0",
          "cvss_v2": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2020-09-04",
          "description": "Jenkins Build Failure Analyzer Plugin does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications.",
          "fixed_versions": [
            "1.27.1"
          ],
          "identifier": "CVE-2020-2244",
          "identifiers": [
            "CVE-2020-2244"
          ],
          "not_impacted": "All versions after 1.27.0",
          "package_slug": "maven/com.sonyericsson.jenkins.plugins.bfa/build-failure-analyzer",
          "pubdate": "2020-09-01",
          "solution": "Upgrade to version 1.27.1 or above.",
          "title": "Cross-site Scripting",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-2244",
            "https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1770"
          ],
          "uuid": "1b29e565-6447-4611-8850-2a081f35c9a9"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:jenkins:build_failure_analyzer:*:*:*:*:*:jenkins:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.27.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2020-2244"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1770",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1770"
            },
            {
              "name": "[oss-security] 20200901 Multiple vulnerabilities in Jenkins plugins",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2020/09/01/3"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.3,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2023-11-02T21:38Z",
      "publishedDate": "2020-09-01T14:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-2244 (GCVE-0-2020-2244)

CNVD-2020-50957

FKIE_CVE-2020-2244

GHSA-P5JH-8RXP-WQJJ

GSD-2020-2244

Tags

Sightings

Nomenclature