CVE-2020-2190

CWE-79 — Cross-site Scripting (XSS)CWE-312 — Cleartext Storage of Sensitive Info CWE-416 — Use After Free9 documents7 sources

Severity

5.4MEDIUM

EPSS

0.1%

top 69.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Script Security Plugin Jenkins Script Security

Timeline

PublishedJun 3

Latest updateAug 19

Description

Jenkins Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page, resulting in a stored cross-site scripting vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:script-security< 1.73

▶CVEListV5jenkins_project/jenkins_script_security_pluginunspecified — 1.72

▶NVDjenkins/script_security1.72

🔴Vulnerability Details

OSV

Improper Neutralization of Input During Web Page Generation in Jenkins Script Security Plugin↗2022-05-24

▶

GHSA

Improper Neutralization of Input During Web Page Generation in Jenkins Script Security Plugin↗2022-05-24

▶

CVEList

CVE-2020-2190: Jenkins Script Security Plugin 1↗2020-06-03

▶

📋Vendor Advisories

Red Hat

podman: Security regression of CVE-2020-14370 due to source code management issue↗2022-08-19

▶

Red Hat

podman: Security regression of CVE-2020-8945 due to source code management issue↗2022-08-19

▶

Jenkins

Jenkins Security Advisory 2020-06-03↗2020-06-03

▶

Red Hat

jenkins-script-security-plugin: cross-site scripting vulnerability due to configure sandboxed scripts↗2020-06-03

▶

💬Community

Bugzilla

CVE-2020-2190 jenkins-script-security-plugin: cross-site scripting vulnerability due to configure sandboxed scripts↗2020-06-16

▶