CVE-2022-20615 – org.jenkins-ci.plugins:matrix-project

Package

Manager: maven
Name: org.jenkins-ci.plugins:matrix-project
Vulnerable Version: =1.19 || >=1.19 <1.20 || >=0 <1.18.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.43559 pctl0.97431

Details

Stored XSS vulnerability in Matrix Project Plugin Jenkins Matrix Project Plugin prior to 1.20 and 1.18.1 does not escape HTML metacharacters in node and label names, and label descriptions. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission. Matrix Project Plugin 1.20 and 1.18.1 escapes HTML metacharacters in node and label names, and label descriptions.

Metadata

Created: 2022-01-13T00:01:04Z
Modified: 2023-10-27T16:18:30Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-vqwg-4v6f-h6x5/GHSA-vqwg-4v6f-h6x5.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-vqwg-4v6f-h6x5
Finding: F425
Auto approve: 1