CVE-2020-2223 – jenkins: Stored XSS vulnerability in console links
https://notcve.org/view.php?id=CVE-2020-2223
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape correctly the 'href' attribute of links to downstream jobs displayed in the build console page, resulting in a stored cross-site scripting vulnerability. Jenkins versiones 2.244 y anteriores, LTS versiones 2.235.1 y anteriores, no escapan apropiadamente el atributo "href" de los enlaces en trabajos posteriores que se muestran en la página de la consola de compilación, resultando en una vulnerabilidad de tipo cross-site scripting almacenado A flaw was found in Jenkins versions 2.244 and prior and in LTS 2.235.1 and prior. HREF attribute of links to downstream jobs are not escaped on build console pages which could lead to a stored cross-site scripting (XSS) vulnerability. The user must have the Agent/Configure permission for this exploit to function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • http://www.openwall.com/lists/oss-security/2020/07/15/5 https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1945 https://access.redhat.com/security/cve/CVE-2020-2223 https://bugzilla.redhat.com/show_bug.cgi?id=1857433 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-2222 – jenkins: Stored XSS vulnerability in 'keep forever' badge icons
https://notcve.org/view.php?id=CVE-2020-2222
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip, resulting in a stored cross-site scripting vulnerability. Jenkins versiones 2.244 y anteriores, LTS versiones 2.235.1 y anteriores, no escapan el nombre del trabajo en la información sobre herramientas de la insignia "Keep this build forever", resultando en una vulnerabilidad de tipo cross-site scripting almacenado A flaw was found in jenkins in versions prior to 2.244 and versions prior to LTS 2.235.1. Job names in the 'Keep this build forever' badge tooltip are not properly escaped which results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure job names. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • http://www.openwall.com/lists/oss-security/2020/07/15/5 https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1902 https://access.redhat.com/security/cve/CVE-2020-2222 https://bugzilla.redhat.com/show_bug.cgi?id=1857431 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-2221 – jenkins: Stored XSS vulnerability in upstream cause
https://notcve.org/view.php?id=CVE-2020-2221
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability. Jenkins versiones 2.244 y anteriores, LTS versiones 2.235.1 y anteriores, no escapan el nombre a desplegar del trabajo anterior que se muestra como parte de una causa de compilación, resultando en una vulnerabilidad de tipo cross-site scripting almacenado A flaw was found in Jenkins versions 2.244 and prior and in LTS 2.235.1 and prior. The upstream job's display name is not escaped on build time trend pages which could lead to a stored cross-site scripting (XSS) vulnerability. The user must have the Agent/Configure permission for this exploit to function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • http://www.openwall.com/lists/oss-security/2020/07/15/5 https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1901 https://access.redhat.com/security/cve/CVE-2020-2221 https://bugzilla.redhat.com/show_bug.cgi?id=1857427 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-2220 – jenkins: Stored XSS vulnerability in job build time trend
https://notcve.org/view.php?id=CVE-2020-2220
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability. Jenkins versiones 2.244 y anteriores, LTS versiones 2.235.1 y anteriores, no escapan el nombre del agente en la página de tendencia del tiempo de compilación, resultando en una vulnerabilidad de tipo cross-site scripting almacenado A flaw was found in Jenkins versions 2.244 and prior and in LTS 2.235.1 and prior. The agent name is not escaped on build time trend pages which could lead to a stored cross-site scripting (XSS) vulnerability. The user must have the Agent/Configure permission for this exploit to function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. • http://www.openwall.com/lists/oss-security/2020/07/15/5 https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1868 https://access.redhat.com/security/cve/CVE-2020-2220 https://bugzilla.redhat.com/show_bug.cgi?id=1857425 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-2163
https://notcve.org/view.php?id=CVE-2020-2163
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processes HTML content of list view column headers, resulting in a stored XSS vulnerability exploitable by users able to control column headers. Jenkins versiones 2.227 y anteriores, LTS versiones 2.204.5 y anteriores, procesan inapropiadamente el contenido HTML de los encabezados de columna de visualización de lista, resultando en una vulnerabilidad de tipo XSS almacenado explotable por usuarios capaces de controlar encabezados de columna. • http://www.openwall.com/lists/oss-security/2020/03/25/2 https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1796 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •