Stored Cross-Site Scripting in Jenkins Matrix Authorization Strategy Plugin
CVE-2020-2226

5.4MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Matrix Authorization Strategy Plugin
Vendor
CVE Published:
15 July 2020

Summary

The Jenkins Matrix Authorization Strategy Plugin, versions 2.6.1 and earlier, contains a flaw that results in stored cross-site scripting. This security issue arises because user names displayed in the configuration are not properly escaped, allowing an attacker to inject malicious scripts. If exploited, this vulnerability could potentially lead to unauthorized execution of scripts in the context of the user, compromising sensitive data and functionalities within Jenkins.

Affected Version(s)

Jenkins Matrix Authorization Strategy Plugin <= 2.6.1

References

https://jenkins.io/security/advisory/2020-07-15/#SECURITY...
x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2020/07/15/5
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.