CVE-2020-2256 – org.jenkins-ci.plugins:pipeline-maven

Package

Manager: maven
Name: org.jenkins-ci.plugins:pipeline-maven
Vulnerable Version: >=0 <3.9.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00233 pctl0.4603

Details

Stored XSS vulnerability in Pipeline Maven Integration Plugin via unescaped display name Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job’s display name shown as part of a build cause. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. Pipeline Maven Integration Plugin 3.9.3 escapes upstream job names in build causes.

Metadata

Created: 2022-05-24T17:28:25Z
Modified: 2023-12-20T13:38:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hq2h-9mc3-h6w2/GHSA-hq2h-9mc3-h6w2.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-hq2h-9mc3-h6w2
Finding: F425
Auto approve: 1