ghsa-hvmc-7g2x-r3p9
Vulnerability from github
Published
2022-05-24 17:25
Modified
2023-12-22 13:53
Severity
8.0 (High) - CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Summary
Jenkins Cross-Site Scripting vulnerability in help icons
Details

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values. This results in a stored cross-site scripting (XSS) vulnerability. Jenkins 2.252, LTS 2.235.4 escapes the tooltip content of help icons.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.235.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.235.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.251"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.main:jenkins-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.236"
            },
            {
              "fixed": "2.252"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-23T23:18:53Z",
    "nvd_published_at": "2020-08-12T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values.\nThis results in a stored cross-site scripting (XSS) vulnerability.\nJenkins 2.252, LTS 2.235.4 escapes the tooltip content of help icons.",
  "id": "GHSA-hvmc-7g2x-r3p9",
  "modified": "2023-12-22T13:53:54Z",
  "published": "2022-05-24T17:25:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2229"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/jenkins/commit/fe4cbe03804d6240d0b58d0b2301ea9530a34916"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/jenkins"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-08-12/#SECURITY-1955"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/160443/Jenkins-2.235.3-Cross-Site-Scripting.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/08/12/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Cross-Site Scripting vulnerability in help icons"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.