Описание
Stored XSS vulnerability in Pipeline Maven Integration Plugin via unescaped display name
Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job’s display name shown as part of a build cause.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Pipeline Maven Integration Plugin 3.9.3 escapes upstream job names in build causes.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2020-2256
- https://github.com/jenkinsci/pipeline-maven-plugin/commit/78b8e6d49bffcc6b65064a882c03a2b4bb157230
- https://github.com/jenkinsci/pipeline-maven-plugin
- https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1976
- http://www.openwall.com/lists/oss-security/2020/09/16/3
Пакеты
Наименование
org.jenkins-ci.plugins:pipeline-maven
maven
Затронутые версииВерсия исправления
<= 3.9.2
3.9.3
Связанные уязвимости
CVSS3: 5.4
nvd
больше 5 лет назад
Jenkins Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.