Exploitable Stored XSS in Jenkins Code Coverage API Plugin
CVE-2020-2106

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Code Coverage Api Plugin
Vendor: CVE Published:; 29 January 2020

Summary

The Jenkins Code Coverage API Plugin prior to version 1.1.3 is susceptible to a stored Cross-Site Scripting vulnerability. This issue arises because the plugin does not properly escape the filename of the coverage report displayed in its interface. This oversight allows authenticated users with the capability to modify job configurations to execute arbitrary JavaScript in the context of the user's web browser. Successful exploitation of this vulnerability could lead to session hijacking, data theft, or further network compromise.

Affected Version(s)

Jenkins Code Coverage API Plugin <= 1.1.2

References

https://jenkins.io/security/advisory/2020-01-29/#SECURITY...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2020/01/29/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 29, 2020
Vulnerability Reserved
Dec 5, 2019