GHSA-cfvw-84vq-43mx

Suggest an improvement
Source
https://github.com/advisories/GHSA-cfvw-84vq-43mx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cfvw-84vq-43mx/GHSA-cfvw-84vq-43mx.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-cfvw-84vq-43mx
Aliases
  • CVE-2020-2227
Published
2022-05-24T17:23:39Z
Modified
2023-12-14T10:00:48.835586Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Stored XSS vulnerability in Jenkins Deployer Framework Plugin
Details

Deployer Framework Plugin is a framework plugin allowing other plugins to provide a way to deploy artifacts. Deployer Framework Plugin 1.2 and earlier does not escape the URL displayed in the build home page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to provide the location.

The exploitability of this vulnerability depends on the specific implementation using Deployer Framework Plugin. The Jenkins security team is not aware of any exploitable implementation.

Deployer Framework Plugin 1.3 escapes the URL.

Database specific
{
    "nvd_published_at": "2020-07-15T18:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-28T23:43:56Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:deployer-framework

Package

Name
org.jenkins-ci.plugins:deployer-framework
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/deployer-framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3

Affected versions

1.*

1.0
1.1
1.2

Database specific

{
    "last_known_affected_version_range": "<= 1.2"
}