PT-2020-15443 · Jenkins · Jenkins Deployer Framework Plugin+1
Wadeck Follonier
·
Published
2020-07-15
·
Updated
2023-10-25
·
CVE-2020-2227
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Deployer Framework Plugin versions 1.2 and earlier
Description
The issue is related to a stored cross-site scripting vulnerability. It occurs because the URL displayed in the build home page is not properly escaped. This vulnerability is exploitable by users who can provide the location, but its exploitability depends on the specific implementation using the Deployer Framework Plugin. There is no reported case of an exploitable implementation by the Jenkins security team.
Recommendations
For Jenkins Deployer Framework Plugin versions 1.2 and earlier, update to version 1.3 or later, which properly escapes the URL and resolves the issue.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Deployer Framework Plugin