CVE-2020-2220 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=0 <2.235.2 || >=2.236 <2.245

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00257 pctl0.48867

Details

Stored XSS vulnerability in Jenkins job build time trend Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability. Jenkins 2.245, LTS 2.235.2 escapes the agent name.

Metadata

Created: 2022-05-24T17:23:38Z
Modified: 2022-12-27T18:13:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qgj4-rc8m-44mq/GHSA-qgj4-rc8m-44mq.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-qgj4-rc8m-44mq
Finding: F425
Auto approve: 1