GHSA-vr6v-wjfw-rxcr

Опубликовано: 24 мая 2022

Источник: github

Github: Прошло ревью

CVSS3: 8

Описание

Stored XSS vulnerability in Jenkins Matrix Authorization Strategy Plugin

Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape user names shown in the permission table. This results in a stored cross-site scripting (XSS) vulnerability. When using project-based matrix authorization, this vulnerability can be exploited by a user with Job/Configure or Agent/Configure permission, otherwise by users with Overall/Administer permission.

Matrix Authorization Strategy Plugin 2.6.2 escapes user names in the permission table.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:matrix-auth

maven

Затронутые версииВерсия исправления

<= 2.6.1

2.6.2

EPSS

Процентиль: 29%

0.00105

Низкий

8 High

CVSS3

CVE ID

CVE-2020-2226

Дефекты

CWE-79

Связанные уязвимости

CVE-2020-2226

CVSS3: 8

redhat

больше 5 лет назад

Jenkins Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape user names shown in the configuration, resulting in a stored cross-site scripting vulnerability.

CVE-2020-2226

CVSS3: 5.4

nvd

больше 5 лет назад

Jenkins Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape user names shown in the configuration, resulting in a stored cross-site scripting vulnerability.

EPSS

Процентиль: 29%

0.00105

Низкий

8 High

CVSS3

CVE ID

CVE-2020-2226

Дефекты

CWE-79