Fluid Attacks Database

Description

Reflected XSS vulnerability in Jenkins VncViewer Plugin VncViewer Plugin 1.7 and earlier does not escape a parameter value in the checkVncServ form validation endpoint output.

This results in a reflected cross-site scripting (XSS) vulnerability.

VncViewer Plugin 1.8 escapes the parameter value in the output.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jenkins-ci.plugins:vncviewer	>=0 <1.8	1.8
maven	org.jenkins-ci.plugins:vncrecorder	>=0 <=1.7	1.18

Aliases

1. CVE-2020-22072. NVD-2020-22073. OSV-2020-22074. GCVE-2020-2207

References

1. https://github.com/jenkinsci/vncviewer-plugin/commit/99b2aa3ed0857ef35de9a3aca0b0c53add3b392d2. https://jenkins.io/security/advisory/2020-07-02/#SECURITY-17763. http://www.openwall.com/lists/oss-security/2020/07/02/7