GHSA-h6qc-455m-7v6v

Source

https://github.com/advisories/GHSA-h6qc-455m-7v6v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h6qc-455m-7v6v/GHSA-h6qc-455m-7v6v.json

Aliases

CVE-2020-2224

Published

2022-05-24T17:23:38Z

Modified

2024-02-16T08:11:22.257455Z

Details

Matrix Project Plugin 1.16 and earlier does not escape node names shown in tooltips on the overview page of builds with a single axis. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Agent/Configure permission.

Matrix Project Plugin 1.17 escapes the node names shown in these tooltips.

References

Affected packages

Maven / org.jenkins-ci.plugins:matrix-project

Package

Name: org.jenkins-ci.plugins:matrix-project

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.17

Affected versions

1.*

1.0-beta-1

1.0

1.1

1.2

1.2.1

1.3

1.4

1.4.1

1.5

1.6

1.7

1.7.1

1.8

1.9

1.10

1.11

1.12

1.13

1.14

1.14.1

1.15

1.16

Database specific

{
    "last_known_affected_version_range": "<= 1.16"
}