ghsa-qgj4-rc8m-44mq
Vulnerability from github
Published
2022-05-24 17:23
Modified
2022-12-27 18:13
Severity
Summary
Stored XSS vulnerability in Jenkins job build time trend
Details
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability.
Jenkins 2.245, LTS 2.235.2 escapes the agent name.
{ "affected": [ { "database_specific": { "last_known_affected_version_range": "\u003c= 2.235.1" }, "package": { "ecosystem": "Maven", "name": "org.jenkins-ci.main:jenkins-core" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.235.2" } ], "type": "ECOSYSTEM" } ] }, { "database_specific": { "last_known_affected_version_range": "\u003c= 2.244" }, "package": { "ecosystem": "Maven", "name": "org.jenkins-ci.main:jenkins-core" }, "ranges": [ { "events": [ { "introduced": "2.236" }, { "fixed": "2.245" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2020-2220" ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2022-06-24T00:54:57Z", "nvd_published_at": "2020-07-15T18:15:00Z", "severity": "HIGH" }, "details": "Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability.\n\nJenkins 2.245, LTS 2.235.2 escapes the agent name.", "id": "GHSA-qgj4-rc8m-44mq", "modified": "2022-12-27T18:13:10Z", "published": "2022-05-24T17:23:38Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2220" }, { "type": "WEB", "url": "https://github.com/jenkinsci/jenkins/commit/b43531acee280dedc3ea454a2fc5a1a42990ddda" }, { "type": "PACKAGE", "url": "https://github.com/jenkinsci/jenkins" }, { "type": "WEB", "url": "https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1868" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2020/07/15/5" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "Stored XSS vulnerability in Jenkins job build time trend" }
Loading...