logo

Database

Server side cross-site scripting In org.jenkins-ci.main:jenkins-core

Description

Stored XSS vulnerability in Jenkins console links Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the href attribute of links to downstream jobs displayed in the build console page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission.

Jenkins 2.245, LTS 2.235.2 escapes the href attribute of these links.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2020-22232. NVD-2020-22233. OSV-2020-22234. GCVE-2020-2223

References

1. https://github.com/jenkinsci/jenkins/commit/11f4a351224ef04cfeb9c7636fb1590b67543f3c2. https://jenkins.io/security/advisory/2020-07-15/#SECURITY-19453. http://www.openwall.com/lists/oss-security/2020/07/15/5

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.