GHSA-cfvw-84vq-43mx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-cfvw-84vq-43mx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cfvw-84vq-43mx/GHSA-cfvw-84vq-43mx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-cfvw-84vq-43mx
- Aliases
-
- CVE-2020-2227
- Published
- 2022-05-24T17:23:39Z
- Modified
- 2024-02-16T08:21:13.023017Z
- Severity
-
- 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Stored XSS vulnerability in Jenkins Deployer Framework Plugin
- Details
-
Deployer Framework Plugin is a framework plugin allowing other plugins to provide a way to deploy artifacts. Deployer Framework Plugin 1.2 and earlier does not escape the URL displayed in the build home page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to provide the location.
The exploitability of this vulnerability depends on the specific implementation using Deployer Framework Plugin. The Jenkins security team is not aware of any exploitable implementation.
Deployer Framework Plugin 1.3 escapes the URL.
- Database specific
{ "nvd_published_at": "2020-07-15T18:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-12-28T23:43:56Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-2227
- https://github.com/jenkinsci/deployer-framework-plugin/commit/8fa2e16bce85ec1b93be60102d7cfb5153876e83
- https://github.com/jenkinsci/deployer-framework-plugin
- https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1915
- http://www.openwall.com/lists/oss-security/2020/07/15/5
Affected packages
Maven / org.jenkins-ci.plugins:deployer-framework
Package
- Name
- org.jenkins-ci.plugins:deployer-framework
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/deployer-framework