Stored Cross-Site Scripting in Jenkins Matrix Authorization Strategy Plugin
CVE-2020-2226

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Matrix Authorization Strategy Plugin
Vendor: CVE Published:; 15 July 2020

What is CVE-2020-2226?

The Jenkins Matrix Authorization Strategy Plugin, versions 2.6.1 and earlier, contains a flaw that results in stored cross-site scripting. This security issue arises because user names displayed in the configuration are not properly escaped, allowing an attacker to inject malicious scripts. If exploited, this vulnerability could potentially lead to unauthorized execution of scripts in the context of the user, compromising sensitive data and functionalities within Jenkins.

Affected Version(s)

Jenkins Matrix Authorization Strategy Plugin <= 2.6.1

References

https://jenkins.io/security/advisory/2020-07-15/#SECURITY...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2020/07/15/5

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 15, 2020
Vulnerability Reserved
Dec 5, 2019