Описание
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.
A flaw was found in Jenkins in versions prior to 2.251 and LTS 2.235.3. The project naming strategy description, displayed on item creation, is not properly escaped. This can result in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permissions. The highest threat from this vulnerability is to data confidentiality and integrity.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | jenkins | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | jenkins | Fixed | RHSA-2020:4223 | 22.10.2020 |
| Red Hat OpenShift Container Platform 4.3 | jenkins | Fixed | RHSA-2020:3808 | 23.09.2020 |
| Red Hat OpenShift Container Platform 4.4 | openshift4/ose-jenkins | Fixed | RHSA-2020:4220 | 13.10.2020 |
| Red Hat OpenShift Container Platform 4.5 | jenkins | Fixed | RHSA-2020:3841 | 30.09.2020 |
Показывать по
Дополнительная информация
Статус:
5.4 Medium
CVSS3
Связанные уязвимости
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the ...
Jenkins Cross-site Scripting vulnerability in project naming strategy
5.4 Medium
CVSS3