GHSA-fvwh-wv43-8qj5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fvwh-wv43-8qj5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fvwh-wv43-8qj5/GHSA-fvwh-wv43-8qj5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fvwh-wv43-8qj5
- Aliases
- Published
- 2022-05-24T17:28:25Z
- Modified
- 2024-02-16T08:07:32.411736Z
- Severity
-
- 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Stored XSS vulnerability in Validating String Parameter Plugin
- Details
-
Validating String Parameter Plugin 2.4 and earlier does not escape regular expressions in tooltips. Additionally, Validating String Parameter Plugin 2.4 does not escape parameter names and parameter descriptions.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Validating String Parameter Plugin 2.5 escapes regular expressions in tooltips and parameter names. Parameter descriptions are rendered using the configured markup formatter.
- Database specific
{ "nvd_published_at": "2020-09-16T14:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-12-29T01:34:30Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-2257
- https://github.com/jenkinsci/validating-string-parameter-plugin/commit/345a79d830a5fcd824a3c755506a438c78c48117
- https://github.com/jenkinsci/validating-string-parameter-plugin
- https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1935
- http://www.openwall.com/lists/oss-security/2020/09/16/3
Affected packages
Maven / org.jenkins-ci.plugins:validating-string-parameter
Package
- Name
- org.jenkins-ci.plugins:validating-string-parameter
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/validating-string-parameter