ghsa-hvmc-7g2x-r3p9
Vulnerability from github
Published
2022-05-24 17:25
Modified
2023-12-22 13:53
Severity
Summary
Jenkins Cross-Site Scripting vulnerability in help icons
Details
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values. This results in a stored cross-site scripting (XSS) vulnerability. Jenkins 2.252, LTS 2.235.4 escapes the tooltip content of help icons.
{ "affected": [ { "database_specific": { "last_known_affected_version_range": "\u003c= 2.235.3" }, "package": { "ecosystem": "Maven", "name": "org.jenkins-ci.main:jenkins-core" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.235.4" } ], "type": "ECOSYSTEM" } ] }, { "database_specific": { "last_known_affected_version_range": "\u003c= 2.251" }, "package": { "ecosystem": "Maven", "name": "org.jenkins-ci.main:jenkins-core" }, "ranges": [ { "events": [ { "introduced": "2.236" }, { "fixed": "2.252" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2020-2229" ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2022-06-23T23:18:53Z", "nvd_published_at": "2020-08-12T14:15:00Z", "severity": "HIGH" }, "details": "Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values.\nThis results in a stored cross-site scripting (XSS) vulnerability.\nJenkins 2.252, LTS 2.235.4 escapes the tooltip content of help icons.", "id": "GHSA-hvmc-7g2x-r3p9", "modified": "2023-12-22T13:53:54Z", "published": "2022-05-24T17:25:24Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2229" }, { "type": "WEB", "url": "https://github.com/jenkinsci/jenkins/commit/fe4cbe03804d6240d0b58d0b2301ea9530a34916" }, { "type": "PACKAGE", "url": "https://github.com/jenkinsci/jenkins" }, { "type": "WEB", "url": "https://jenkins.io/security/advisory/2020-08-12/#SECURITY-1955" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/160443/Jenkins-2.235.3-Cross-Site-Scripting.html" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2020/08/12/4" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "Jenkins Cross-Site Scripting vulnerability in help icons" }
Loading...