CVE-2020-2230 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=0 <2.235.4 || >=2.236 <2.252

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01202 pctl0.78144

Details

Jenkins Cross-site Scripting vulnerability in project naming strategy Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, that is displayed on item creation.\n\nThis results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.\n\nJenkins 2.252, LTS 2.235.4 escapes the project naming strategy description.

Metadata

Created: 2022-05-24T17:25:24Z
Modified: 2022-12-20T18:52:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9g4m-ffx6-c29g/GHSA-9g4m-ffx6-c29g.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-9g4m-ffx6-c29g
Finding: F425
Auto approve: 1