CVE-2020-2238: Jenkins Git Parameter Plugin 0.9.12 and earlier does not escape the repository field on the 'Build with Parameters' page, resulting in a stored cross-site…

medium5.4CVSS 3.1

AVNACLPRLUIRSCCLILAN

Jenkins Git Parameter Plugin 0.9.12 and earlier does not escape the repository field on the 'Build with Parameters' page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Affected

12 ranges

Vendor	Product	Version range	Fixed in
jenkins	build_failure_analyzer_plugin	—	—
jenkins	cadence_vmanager_plugin	—	—
jenkins	database_plugin	—	—
jenkins	git_parameter	<= 0.9.12	—
jenkins	git_parameter_plugin	—	—
jenkins	jsgames_plugin	—	—
jenkins	klocwork_analysis_plugin	—	—
jenkins	klocwork_plugin	—	—
jenkins	parameterized_remote_trigger_plugin	—	—
jenkins	readyapi_functional_testing_plugin	—	—
jenkins	valgrind_plugin	—	—
jenkins_project	jenkins_git_parameter_plugin	unspecified – 0.9.12	—