CVE-2020-2221 — Cross-site Scripting in Project Jenkins

CWE-79 — Cross-site Scripting9 documents8 sources

Severity

5.4MEDIUMNVD

EPSS

0.5%

top 33.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Jenkins

Timeline

PublishedJul 15

Latest updateMay 24

Description

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDjenkins/jenkins2.235.1+1

▶CVEListV5jenkins_project/jenkinsunspecified — 2.244+1

🔴Vulnerability Details

GHSA

Stored XSS vulnerability in Jenkins upstream cause↗2022-05-24

▶

OSV

Stored XSS vulnerability in Jenkins upstream cause↗2022-05-24

▶

CVEList

CVE-2020-2221: Jenkins 2↗2020-07-15

▶

💥Exploits & PoCs

Exploit-DB

HardDrive 2.1 for iOS - Arbitrary File Upload↗2020-05-01

▶

📋Vendor Advisories

Red Hat

jenkins: Stored XSS vulnerability in upstream cause↗2020-07-15

▶

Jenkins

Jenkins Security Advisory 2020-07-15↗2020-07-15

▶

💬Community

Bugzilla

CVE-2020-2221 jenkins: Stored XSS vulnerability in upstream cause [fedora-all]↗2020-07-15

▶

Bugzilla

CVE-2020-2221 jenkins: Stored XSS vulnerability in upstream cause↗2020-07-15

▶