CVE-2020-2226 – org.jenkins-ci.plugins:matrix-auth

Package

Manager: maven
Name: org.jenkins-ci.plugins:matrix-auth
Vulnerable Version: >=0 <2.6.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00108 pctl0.2969

Details

Stored XSS vulnerability in Jenkins Matrix Authorization Strategy Plugin Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape user names shown in the permission table. This results in a stored cross-site scripting (XSS) vulnerability. When using project-based matrix authorization, this vulnerability can be exploited by a user with Job/Configure or Agent/Configure permission, otherwise by users with Overall/Administer permission. Matrix Authorization Strategy Plugin 2.6.2 escapes user names in the permission table.

Metadata

Created: 2022-05-24T17:23:39Z
Modified: 2022-12-27T23:15:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vr6v-wjfw-rxcr/GHSA-vr6v-wjfw-rxcr.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-vr6v-wjfw-rxcr
Finding: F425
Auto approve: 1