CVE-2020-2222Cross-site Scripting in Project Jenkins

CWE-79Cross-site ScriptingCWE-787Out-of-bounds Write9 documents7 sources
Severity
5.4MEDIUMNVD
EPSS
0.5%
top 33.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project JenkinsJenkins
Timeline
PublishedJul 15
Latest updateMay 24

Description

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

NVDjenkins/jenkins2.235.1+1
CVEListV5jenkins_project/jenkinsunspecified2.244+1

🔴Vulnerability Details

3
GHSA
Stored XSS vulnerability in Jenkins 'keep forever' badge icon2022-05-24
OSV
Stored XSS vulnerability in Jenkins 'keep forever' badge icon2022-05-24
CVEList
CVE-2020-2222: Jenkins 22020-07-15

📋Vendor Advisories

3
Red Hat
libsolv: Heap overflow2022-02-21
Red Hat
jenkins: Stored XSS vulnerability in 'keep forever' badge icons2020-07-15
Jenkins
Jenkins Security Advisory 2020-07-152020-07-15

💬Community

2
Bugzilla
CVE-2020-2222 jenkins: Stored XSS vulnerability in 'keep forever' badge icons [fedora-all]2020-07-15
Bugzilla
CVE-2020-2222 jenkins: Stored XSS vulnerability in 'keep forever' badge icons2020-07-15
CVE-2020-2222 — Cross-site Scripting in Project Jenkins | cvebase