jenkins: Multiple vulnerabilities (CVE-2020-2220, CVE-2020-2221, CVE-2020-2222, CVE-2020-2223)
CVE-2020-2220: Stored XSS vulnerability in job build time trend
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name on build time trend pages. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Agent/Configure permission.
CVE-2020-2221: Stored XSS vulnerability in upstream cause
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job’s display name shown as part of a build cause. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission.
CVE-2020-2222: Stored XSS vulnerability in 'keep forever' badge icons
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure job names.
CVE-2020-2223: Stored XSS vulnerability in console links
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the href attribute of links to downstream jobs displayed in the build console page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission.
References:
- https://www.jenkins.io/security/advisory/2020-07-15/
- https://www.openwall.com/lists/oss-security/2020/07/15/5
Affected branches:
-
master -
3.12-stable