CVE-2020-2176 - Vulnerability Details - OpenCVE

Multiple form validation endpoints in Jenkins useMango Runner Plugin 1.4 and earlier do not escape values received from the useMango service, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to control the values returned from the useMango service.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00207.

Key SSVC decision points have not yet been added.

Vendors	Products
Jenkins Subscribe	Usemango Runner Subscribe

Configuration 1 [-]

cpe:2.3:a:jenkins:usemango_runner:*:*:*:*:*:jenkins:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-2676	Multiple form validation endpoints in Jenkins useMango Runner Plugin 1.4 and earlier do not escape values received from the useMango service, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to control the values returned from the useMango service.
Github GHSA	GHSA-5x89-75r7-8rjh	XSS vulnerability in Jenkins useMango Runner Plugin

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2020/04/07/3
https://jenkins.io/security/advisory/2020-04-07/#SECURITY-1780

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: jenkins

Published: 2020-04-07T12:25:25

Updated: 2024-08-04T07:01:40.800Z

Reserved: 2019-12-05T00:00:00

Link: CVE-2020-2176

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-04-07T13:15:13.853

Modified: 2024-11-21T05:24:52.367

Link: CVE-2020-2176

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-79

{"containers": {"cna": {"affected": [{"product": "Jenkins useMango Runner Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "1.4", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Multiple form validation endpoints in Jenkins useMango Runner Plugin 1.4 and earlier do not escape values received from the useMango service, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to control the values returned from the useMango service."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T16:06:24.055Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://jenkins.io/security/advisory/2020-04-07/#SECURITY-1780"}, {"name": "[oss-security] 20200407 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2020/04/07/3"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2020-2176", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins useMango Runner Plugin", "version": {"version_data": [{"version_affected": "<=", "version_value": "1.4"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple form validation endpoints in Jenkins useMango Runner Plugin 1.4 and earlier do not escape values received from the useMango service, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to control the values returned from the useMango service."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://jenkins.io/security/advisory/2020-04-07/#SECURITY-1780", "refsource": "CONFIRM", "url": "https://jenkins.io/security/advisory/2020-04-07/#SECURITY-1780"}, {"name": "[oss-security] 20200407 Multiple vulnerabilities in Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2020/04/07/3"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T07:01:40.800Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jenkins.io/security/advisory/2020-04-07/#SECURITY-1780"}, {"name": "[oss-security] 20200407 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2020/04/07/3"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2020-2176", "datePublished": "2020-04-07T12:25:25", "dateReserved": "2019-12-05T00:00:00", "dateUpdated": "2024-08-04T07:01:40.800Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:usemango_runner:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "B2293A40-69A7-479D-BFB2-0F16DB398058", "versionEndIncluding": "1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple form validation endpoints in Jenkins useMango Runner Plugin 1.4 and earlier do not escape values received from the useMango service, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to control the values returned from the useMango service."}, {"lang": "es", "value": "M\u00faltiples endpoints de comprobaci\u00f3n de formularios en Jenkins useMango Runner Plugin versiones 1.4 y anteriores, no escapan a valores recibidos del servicio useMango, resultando en una vulnerabilidad de tipo cross-site-scripting (XSS) explotable por usuarios capaces de controlar los valores devueltos desde el servicio useMango."}], "id": "CVE-2020-2176", "lastModified": "2024-11-21T05:24:52.367", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-07T13:15:13.853", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2020/04/07/3"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Third Party Advisory"], "url": "https://jenkins.io/security/advisory/2020-04-07/#SECURITY-1780"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2020/04/07/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://jenkins.io/security/advisory/2020-04-07/#SECURITY-1780"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}