cbcvebase.
CVE-2020-2161
published 2020-03-25

CVE-2020-2161: Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job…

PriorityP426medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
1.24%
65.3th percentile
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels.

Affected

14 ranges
VendorProductVersion rangeFixed in
jenkinsartifactory_plugin
jenkinsaws_steps_plugin
jenkinsazure_container_service_plugin
jenkinsjenkins<= 2.204.5
jenkinsjenkins<= 2.227
jenkinsjenkins_core
jenkinsjenkins_lts
jenkinsjenkins_weekly
jenkinsopenshift_pipeline_plugin
jenkinsqueue_cleanup_plugin
jenkinsrapiddeploy_plugin
jenkinsyaml_input_files_to_azure_container_service_plugin
jenkinsyaml_input_files_to_openshift_pipeline_plugin
jenkins_projectjenkinsunspecified – 2.227

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.