GHSA-6xxf-rwv4-mrjm

Опубликовано: 24 мая 2022

Источник: github

Github: Прошло ревью

CVSS3: 4.8

Описание

Stored XSS vulnerability in Jenkins Timestamper Plugin

Timestamper Plugin 1.11.1 and earlier does not escape or sanitize the HTML formatting used to display the timestamps in console output for builds.

This results in a stored cross-site scripting vulnerability that can be exploited by users with Overall/Administer permission.

Timestamper Plugin 1.11.2 sanitizes the HTML formatting for timestamps and only allows basic, safe HTML formatting.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:timestamper

maven

Затронутые версииВерсия исправления

<= 1.11.1

1.11.2

EPSS

Процентиль: 47%

0.00242

Низкий

4.8 Medium

CVSS3

CVE ID

CVE-2020-2137

Дефекты

CWE-79

Связанные уязвимости

CVE-2020-2137

CVSS3: 4.8

nvd

почти 6 лет назад

Jenkins Timestamper Plugin 1.11.1 and earlier does not sanitize HTML formatting of its output, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.

EPSS

Процентиль: 47%

0.00242

Низкий

4.8 Medium

CVSS3

CVE ID

CVE-2020-2137

Дефекты

CWE-79