CVE-2020-2137 – org.jenkins-ci.plugins:timestamper

Package

Manager: maven
Name: org.jenkins-ci.plugins:timestamper
Vulnerable Version: >=0 <1.11.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00242 pctl0.47342

Details

Stored XSS vulnerability in Jenkins Timestamper Plugin Timestamper Plugin 1.11.1 and earlier does not escape or sanitize the HTML formatting used to display the timestamps in console output for builds. This results in a stored cross-site scripting vulnerability that can be exploited by users with Overall/Administer permission. Timestamper Plugin 1.11.2 sanitizes the HTML formatting for timestamps and only allows basic, safe HTML formatting.

Metadata

Created: 2022-05-24T17:10:27Z
Modified: 2023-01-05T20:18:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6xxf-rwv4-mrjm/GHSA-6xxf-rwv4-mrjm.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-6xxf-rwv4-mrjm
Finding: F425
Auto approve: 1