Description

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/03/25/2

https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1781

Related Vulnerabilities

CVE-2020-5413 Vulnerability in maven package org.springframework.integration:spring-integration

CVE-2022-37423 Vulnerability in maven package org.neo4j.procedure:apoc

CVE-2021-45456 Vulnerability in maven package org.apache.kylin:kylin-server-base

CVE-2020-28052 Vulnerability in maven package org.bouncycastle:bcprov-ext-jdk14

CVE-2022-33682 Vulnerability in maven package org.apache.pulsar:pulsar-broker

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory