Cross-Site Scripting Vulnerability in Jenkins Liquibase Runner Plugin
CVE-2020-2283

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Liquibase Runner Plugin
Vendor: CVE Published:; 23 September 2020

Summary

The Jenkins Liquibase Runner Plugin, specifically version 1.4.5 and earlier, has a stored cross-site scripting vulnerability due to insufficient escaping of changeset contents. This flaw allows authenticated users with control over changeset files to inject malicious scripts, which can be executed in the context of other users. It poses a significant risk, as it can be exploited without requiring elevated privileges. Securing the plugin against these exploits is essential to protect users from malicious attacks.

Affected Version(s)

Jenkins Liquibase Runner Plugin <= 1.4.5

References

https://www.jenkins.io/security/advisory/2020-09-23/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2020/09/23/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 23, 2020
Vulnerability Reserved
Dec 5, 2019