{"containers": {"cna": {"affected": [{"product": "Jenkins", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "2.251", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "LTS 2.235.3", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T16:07:27.557Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://jenkins.io/security/advisory/2020-08-12/#SECURITY-1957"}, {"name": "[oss-security] 20200812 Multiple vulnerabilities in Jenkins and Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2020/08/12/4"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/160443/Jenkins-2.235.3-Cross-Site-Scripting.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2020-2230", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.251"}, {"version_affected": "<=", "version_value": "LTS 2.235.3"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://jenkins.io/security/advisory/2020-08-12/#SECURITY-1957", "refsource": "CONFIRM", "url": "https://jenkins.io/security/advisory/2020-08-12/#SECURITY-1957"}, {"name": "[oss-security] 20200812 Multiple vulnerabilities in Jenkins and Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2020/08/12/4"}, {"name": "http://packetstormsecurity.com/files/160443/Jenkins-2.235.3-Cross-Site-Scripting.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/160443/Jenkins-2.235.3-Cross-Site-Scripting.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T07:01:41.176Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jenkins.io/security/advisory/2020-08-12/#SECURITY-1957"}, {"name": "[oss-security] 20200812 Multiple vulnerabilities in Jenkins and Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2020/08/12/4"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/160443/Jenkins-2.235.3-Cross-Site-Scripting.html"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2020-2230", "datePublished": "2020-08-12T13:25:21", "dateReserved": "2019-12-05T00:00:00", "dateUpdated": "2024-08-04T07:01:41.176Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "B3CDA574-C3B5-497F-A4BA-06D8247CC9CF", "versionEndIncluding": "2.235.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "matchCriteriaId": "F27D1003-69CA-405C-AF8E-C1EE24980EDC", "versionEndIncluding": "2.251", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission."}, {"lang": "es", "value": "Jenkins versiones 2.251 y anteriores, versiones LTS 2.235.3 y anteriores, no escapan la descripci\u00f3n de la estrategia de nombramiento del proyecto, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenado explotable por usuarios con permiso General y de Administraci\u00f3n"}], "id": "CVE-2020-2230", "lastModified": "2023-11-02T21:39:07.867", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-12T14:15:13.190", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/160443/Jenkins-2.235.3-Cross-Site-Scripting.html"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/08/12/4"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2020-08-12/#SECURITY-1957"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:4223", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "jenkins-0:2.235.5.1600415953-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2020-10-22T00:00:00Z"}, {"advisory": "RHSA-2020:3808", "cpe": "cpe:/a:redhat:openshift:4.3::el7", "package": "jenkins-0:2.235.5.1600415514-1.el7", "product_name": "Red Hat OpenShift Container Platform 4.3", "release_date": "2020-09-23T00:00:00Z"}, {"advisory": "RHSA-2020:4220", "cpe": "cpe:/a:redhat:openshift:4.4::el7", "package": "openshift4/ose-jenkins:v4.4.0-202009260441.p0", "product_name": "Red Hat OpenShift Container Platform 4.4", "release_date": "2020-10-13T00:00:00Z"}, {"advisory": "RHSA-2020:3841", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "jenkins-0:2.235.5.1600414805-1.el7", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2020-09-30T00:00:00Z"}], "bugzilla": {"description": "jenkins: stored XSS vulnerability in project naming strategy", "id": "1875232", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1875232"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-79", "details": ["Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.", "A flaw was found in Jenkins in versions prior to 2.251 and LTS 2.235.3. The project naming strategy description, displayed on item creation, is not properly escaped. This can result in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permissions. The highest threat from this vulnerability is to data confidentiality and integrity."], "name": "CVE-2020-2230", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "jenkins", "product_name": "Red Hat JBoss Fuse 7"}], "public_date": "2020-08-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-2230\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-2230\nhttps://jenkins.io/security/advisory/2020-08-12/#SECURITY-1957"], "threat_severity": "Moderate", "upstream_fix": "Jenkins-LTS 2.235.4, Jenkins 2.252"}