CVE-2020-2223

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.244 and earlier Jenkins LTS versions 2.235.1 and earlier

Description The issue results from incorrect escaping of the href attribute of links to downstream jobs displayed in the build console page, leading to a stored cross-site scripting vulnerability. This vulnerability is exploitable by users with Job/Configure permission.

Recommendations For Jenkins versions 2.244 and earlier, update to version 2.245 or later to resolve the issue. For Jenkins LTS versions 2.235.1 and earlier, update to version 2.235.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the build console page for users with Job/Configure permission until a patch is applied.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BIT-JENKINS-2020-2223

CVE-2020-2223

GHSA-GFHJ-524Q-GCRM

RHSA-2020:3519

RHSA-2020:3541

RHSA-2020:3808

Affected Products

Jenkins

CVE-2020-2223

Weakness Enumeration

Related Identifiers

Affected Products

References · 9