CVE-2020-2223Cross-site Scripting in Project Jenkins

CWE-79Cross-site ScriptingCWE-22Path Traversal10 documents8 sources
Severity
5.4MEDIUMNVD
EPSS
0.5%
top 33.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project JenkinsJenkins
Timeline
PublishedJul 15
Latest updateJun 9

Description

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape correctly the 'href' attribute of links to downstream jobs displayed in the build console page, resulting in a stored cross-site scripting vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

NVDjenkins/jenkins2.235.1+1
CVEListV5jenkins_project/jenkinsunspecified2.244+1

🔴Vulnerability Details

4
GHSA
Arbitrary file read using percent-encoded relative paths in FileMiddleware2023-06-09
GHSA
Stored XSS vulnerability in Jenkins console links2022-05-24
OSV
Stored XSS vulnerability in Jenkins console links2022-05-24
CVEList
CVE-2020-2223: Jenkins 22020-07-15

💥Exploits & PoCs

1
Exploit-DB
Easy Transfer 1.7 for iOS - Directory Traversal2020-04-29

📋Vendor Advisories

2
Jenkins
Jenkins Security Advisory 2020-07-152020-07-15
Red Hat
jenkins: Stored XSS vulnerability in console links2020-07-15

💬Community

2
Bugzilla
CVE-2020-2223 jenkins: Stored XSS vulnerability in console links2020-07-15
Bugzilla
CVE-2020-2223 jenkins: Stored XSS vulnerability in console links [fedora-all]2020-07-15
CVE-2020-2223 — Cross-site Scripting in Project Jenkins | cvebase