CVE-2020-2231
Jenkins 2.235.3 - 'X-Forwarded-For' Stored XSS
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.
Jenkins versiones 2.251 y anteriores, versiones LTS 2.235.3 y anteriores, no escapa la dirección remota del host que inicia una compilación por medio de "Trigger builds remotely", resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenado explotables por usuarios con permiso de Trabajo y Configuración o conocimiento del Token de Autenticación
A flaw was found in Jenkins versions prior to 2.251 and LTS 2.235.3. The remote address of hosts starting a build via 'Trigger builds remotely' are not properly escaped leading to a potential stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the authentication token. The highest threat from this vulnerability is to data confidentiality and integrity.
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include cross site scripting and information leakage vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-12-05 CVE Reserved
- 2020-08-12 CVE Published
- 2020-12-14 First Exploit
- 2024-08-04 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2020/08/12/4 | Mailing List |
|
URL | Date | SRC |
---|---|---|
https://packetstorm.news/files/id/160616 | 2020-12-18 | |
https://www.exploit-db.com/exploits/49244 | 2020-12-14 | |
http://packetstormsecurity.com/files/160616/Jenkins-2.251-LTS-2.235.3-Cross-Site-Scripting.html | 2024-08-04 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://jenkins.io/security/advisory/2020-08-12/#SECURITY-1960 | 2023-11-02 | |
https://access.redhat.com/security/cve/CVE-2020-2231 | 2020-10-22 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1875234 | 2020-10-22 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Jenkins Search vendor "Jenkins" | Jenkins Search vendor "Jenkins" for product "Jenkins" | <= 2.235.3 Search vendor "Jenkins" for product "Jenkins" and version " <= 2.235.3" | lts |
Affected
| ||||||
Jenkins Search vendor "Jenkins" | Jenkins Search vendor "Jenkins" for product "Jenkins" | <= 2.251 Search vendor "Jenkins" for product "Jenkins" and version " <= 2.251" | - |
Affected
|