Skip to content

Improper Neutralization of Input During Web Page Generation in Jenkins

Moderate severity GitHub Reviewed Published May 24, 2022 to the GitHub Advisory Database • Updated Dec 14, 2023

Package

maven org.jenkins-ci.main:jenkins-core (Maven)

Affected versions

<= 2.204.5
> 2.222.1, <= 2.227

Patched versions

2.204.6
2.228

Description

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.

References

Published by the National Vulnerability Database Mar 25, 2020
Published to the GitHub Advisory Database May 24, 2022
Reviewed Jun 24, 2022
Last updated Dec 14, 2023

Severity

Moderate
5.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Weaknesses

CVE ID

CVE-2020-2161

GHSA ID

GHSA-g8pg-qrvm-wgh2

Source code

No known source code
Loading Checking history
Improvements are not currently accepted on this advisory because it uses an unsupported versioning operator. Read more and discuss here.