{"containers": {"cna": {"affected": [{"product": "Jenkins", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "2.227", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "LTS 2.204.5", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T16:06:06.374Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1781"}, {"name": "[oss-security] 20200325 Multiple vulnerabilities in Jenkins and Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2020/03/25/2"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2020-2161", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.227"}, {"version_affected": "<=", "version_value": "LTS 2.204.5"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1781", "refsource": "CONFIRM", "url": "https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1781"}, {"name": "[oss-security] 20200325 Multiple vulnerabilities in Jenkins and Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2020/03/25/2"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T07:01:40.978Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1781"}, {"name": "[oss-security] 20200325 Multiple vulnerabilities in Jenkins and Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2020/03/25/2"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2020-2161", "datePublished": "2020-03-25T16:05:34", "dateReserved": "2019-12-05T00:00:00", "dateUpdated": "2024-08-04T07:01:40.978Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "CFE13DC6-8F0E-458C-AD96-32E8F057CA18", "versionEndIncluding": "2.204.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "matchCriteriaId": "861CC050-ED58-468C-BC49-76C840E22E3D", "versionEndIncluding": "2.227", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels."}, {"lang": "es", "value": "Jenkins versiones 2.227 y anteriores, LTS versiones 2.204.5 y versiones anteriores, no se escapan apropiadamente las etiquetas de nodo que son mostradas en la comprobaci\u00f3n del formulario para las expresiones de etiqueta en las p\u00e1ginas de configuraci\u00f3n del trabajo, resultando en una vulnerabilidad de tipo XSS almacenado explotable por usuarios capaces de definir etiquetas de nodo."}], "id": "CVE-2020-2161", "lastModified": "2024-11-21T05:24:49.760", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-25T17:15:15.000", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/03/25/2"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1781"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/03/25/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1781"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHBA-2020:2477", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "jenkins-0:2.222.1.1591351669-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2435", "cpe": "cpe:/a:redhat:openshift:4.3::el7", "package": "atomic-enterprise-service-catalog-1:4.3.25-202006081518.git.1.52b3a66.el7", "product_name": "Red Hat OpenShift Container Platform 4.3", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2435", "cpe": "cpe:/a:redhat:openshift:4.3::el7", "package": "atomic-openshift-service-idler-0:4.3.25-202006081518.git.1.79365c5.el7", "product_name": "Red Hat OpenShift Container Platform 4.3", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2435", "cpe": "cpe:/a:redhat:openshift:4.3::el7", "package": "conmon-2:2.0.17-1.rhaos4.3.el7", "product_name": "Red Hat OpenShift Container Platform 4.3", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2435", "cpe": "cpe:/a:redhat:openshift:4.3::el7", "package": "cri-o-0:1.16.6-15.dev.rhaos4.3.gitebc053b.el8", "product_name": "Red Hat OpenShift Container Platform 4.3", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2435", "cpe": "cpe:/a:redhat:openshift:4.3::el7", "package": "jenkins-0:2.222.1.1591349991-1.el7", "product_name": "Red Hat OpenShift Container Platform 4.3", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2435", "cpe": "cpe:/a:redhat:openshift:4.3::el7", "package": "machine-config-daemon-0:4.3.25-202006081518.git.1.478b31a.el8", "product_name": "Red Hat OpenShift Container Platform 4.3", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2435", "cpe": "cpe:/a:redhat:openshift:4.3::el7", "package": "openshift-0:4.3.25-202006060952.git.1.96c30f6.el8", "product_name": "Red Hat OpenShift Container Platform 4.3", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2435", "cpe": "cpe:/a:redhat:openshift:4.3::el7", "package": "openshift-ansible-0:4.3.25-202006060952.git.1.1253fde.el7", "product_name": "Red Hat OpenShift Container Platform 4.3", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2435", "cpe": "cpe:/a:redhat:openshift:4.3::el7", "package": "openshift-clients-0:4.3.25-202006060952.git.1.fd93102.el8", "product_name": "Red Hat OpenShift Container Platform 4.3", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2435", "cpe": "cpe:/a:redhat:openshift:4.3::el7", "package": "openshift-kuryr-0:4.3.25-202006081518.git.1.240b401.el8", "product_name": "Red Hat OpenShift Container Platform 4.3", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2435", "cpe": "cpe:/a:redhat:openshift:4.3::el7", "package": "s390utils-2:2.6.0-23.el8", "product_name": "Red Hat OpenShift Container Platform 4.3", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2444", "cpe": "cpe:/a:redhat:openshift:4.4::el7", "package": "atomic-enterprise-service-catalog-1:4.4.0-202006080017.git.1.77a5cc9.el7", "product_name": "Red Hat OpenShift Container Platform 4.4", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2444", "cpe": "cpe:/a:redhat:openshift:4.4::el7", "package": "atomic-openshift-service-idler-0:4.4.0-202006080017.git.1.7e463c3.el7", "product_name": "Red Hat OpenShift Container Platform 4.4", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2444", "cpe": "cpe:/a:redhat:openshift:4.4::el7", "package": "conmon-2:2.0.17-1.rhaos4.4.el8", "product_name": "Red Hat OpenShift Container Platform 4.4", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2444", "cpe": "cpe:/a:redhat:openshift:4.4::el7", "package": "cri-o-0:1.17.4-14.dev.rhaos4.4.gitb93af5d.el8", "product_name": "Red Hat OpenShift Container Platform 4.4", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2444", "cpe": "cpe:/a:redhat:openshift:4.4::el7", "package": "jenkins-0:2.222.1.1591351066-1.el7", "product_name": "Red Hat OpenShift Container Platform 4.4", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2444", "cpe": "cpe:/a:redhat:openshift:4.4::el7", "package": "machine-config-daemon-0:4.4.0-202006080017.git.1.32e0736.el8", "product_name": "Red Hat OpenShift Container Platform 4.4", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2444", "cpe": "cpe:/a:redhat:openshift:4.4::el7", "package": "openshift-0:4.4.0-202006061254.git.1.dc84fb4.el8", "product_name": "Red Hat OpenShift Container Platform 4.4", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2444", "cpe": "cpe:/a:redhat:openshift:4.4::el7", "package": "openshift-ansible-0:4.4.0-202006061254.git.1.a996454.el7", "product_name": "Red Hat OpenShift Container Platform 4.4", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2444", "cpe": "cpe:/a:redhat:openshift:4.4::el7", "package": "openshift-clients-0:4.4.0-202006061254.git.1.26cb6dc.el7", "product_name": "Red Hat OpenShift Container Platform 4.4", "release_date": "2020-06-17T00:00:00Z"}, {"advisory": "RHBA-2020:2444", "cpe": "cpe:/a:redhat:openshift:4.4::el7", "package": "openshift-kuryr-0:4.4.0-202006080017.git.1.855ef1d.el8", "product_name": "Red Hat OpenShift Container Platform 4.4", "release_date": "2020-06-17T00:00:00Z"}], "bugzilla": {"description": "jenkins: XSS in job configuration pages", "id": "1819198", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1819198"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-79", "details": ["Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels."], "name": "CVE-2020-2161", "public_date": "2020-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-2161\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-2161\nhttps://jenkins.io/security/advisory/2020-03-25/#SECURITY-1781"], "threat_severity": "Moderate", "upstream_fix": "jenkins LTS 2.204.6, jenkins LTS 2.222.1, jenkins 2.228"}