Stored Cross-Site Scripting in Jenkins Git Parameter Plugin
CVE-2020-2112

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Git Parameter Plugin
Vendor: CVE Published:; 12 February 2020

Summary

The Git Parameter Plugin for Jenkins does not adequately sanitize the parameter names displayed in the user interface. This oversight allows users with 'Job/Configure' permissions to execute stored cross-site scripting attacks, potentially leading to unauthorized access and manipulation of Jenkins jobs. It is critical for users to update to version 0.9.12 or later to mitigate this security risk.

Affected Version(s)

Jenkins Git Parameter Plugin 0.9.4

Jenkins Git Parameter Plugin <= 0.9.11

References

https://jenkins.io/security/advisory/2020-02-12/#SECURITY...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2020/02/12/3

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 12, 2020
Vulnerability Reserved
Dec 5, 2019