Lucene search

[email protected]CVE-2020-2231

HistoryAug 12, 2020 - 2:15 p.m.

CVE-2020-2231

2020-08-1214:15:13

CWE-79

[email protected]

web.nvd.nist.gov

130

cve-2020-2231

jenkins

lts

cross-site scripting

xss

vulnerability

remote address

trigger builds remotely

authentication token

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.007 Low

EPSS

Percentile

80.6%

JSON

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via ‘Trigger builds remotely’, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.

Affected configurations

NVD

Node

jenkinsjenkinsRange≤2.235.3lts

jenkinsjenkinsRange≤2.251-

CPENameOperatorVersion
jenkins:jenkinsjenkinsle2.235.3
jenkins:jenkinsjenkinsle2.251

CPE	Name	Operator	Version
jenkins:jenkins	jenkins	le	2.235.3
jenkins:jenkins	jenkins	le	2.251

CNA Affected

[
  {
    "product": "Jenkins",
    "vendor": "Jenkins project",
    "versions": [
      {
        "lessThanOrEqual": "2.251",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "LTS 2.235.3",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]