CVE-2020-2224

CVSS v3.1

8.0

High

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins Matrix Project Plugin versions 1.16 and earlier

Description The issue is related to a stored cross-site scripting vulnerability. It occurs because the node names shown in tooltips on the overview page of builds with a single axis are not properly escaped. This vulnerability is exploitable by users with Agent/Configure permission.

Recommendations For Jenkins Matrix Project Plugin versions 1.16 and earlier, update to version 1.17 or later to resolve the issue. As a temporary workaround, consider restricting access to the overview page of builds with a single axis to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2020-2224

GHSA-H6QC-455M-7V6V

RHSA-2020:3453

RHSA-2020:3541

RHSA-2020:3625

RHSA-2020:4265

Affected Products

Jenkins

Jenkins Matrix Project Plugin

CVE-2020-2224

Weakness Enumeration

Related Identifiers

Affected Products

References · 8