CVE-2020-2231 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=0 <2.235.4 || >=2.237 <2.252

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00612 pctl0.68875

Details

Improper Neutralization of Input During Web Page Generation in Jenkins Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.

Metadata

Created: 2022-05-24T17:25:24Z
Modified: 2022-06-23T23:19:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jpvq-v729-7j2h/GHSA-jpvq-v729-7j2h.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-jpvq-v729-7j2h
Finding: F425
Auto approve: 1