Cross-Site Scripting Vulnerability in Jenkins Build Failure Analyzer Plugin by Jenkins
CVE-2020-2244

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Build Failure Analyzer Plugin
Vendor: CVE Published:; 1 September 2020

Summary

The Jenkins Build Failure Analyzer Plugin versions up to 1.27.0 are susceptible to a cross-site scripting (XSS) vulnerability due to improper handling of form validation responses. This lack of necessary escaping techniques allows attackers to inject malicious scripts into the console output of builds. When these scripts are executed by users, it could compromise the security of the Jenkins server and its users, making the affected versions highly exposed to such attacks. It is crucial for Jenkins administrators to upgrade to the latest version to mitigate this risk.

Affected Version(s)

Jenkins Build Failure Analyzer Plugin <= 1.27.0

References

https://jenkins.io/security/advisory/2020-09-01/#SECURITY...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2020/09/01/3

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 1, 2020
Vulnerability Reserved
Dec 5, 2019