CVE-2020-2283 – org.jenkins-ci.plugins:liquibase-runner

Package

Manager: maven
Name: org.jenkins-ci.plugins:liquibase-runner
Vulnerable Version: >=0 <1.4.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00233 pctl0.4604

Details

Stored XSS vulnerability in Jenkins Liquibase Runner Plugin Liquibase Runner Plugin 1.4.5 and earlier does not escape changeset contents when showing them on the build page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide Liquibase changesets evaluated by the plugin. Liquibase Runner Plugin 1.4.7 no longer supports evaluating changesets.

Metadata

Created: 2022-05-24T17:29:16Z
Modified: 2023-10-27T11:31:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9hg7-xmf8-jxf9/GHSA-9hg7-xmf8-jxf9.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-9hg7-xmf8-jxf9
Finding: F425
Auto approve: 1