CVE-2020-2262 - Vulnerability Details - OpenCVE

Jenkins Android Lint Plugin 2.6 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00233.

Key SSVC decision points have not yet been added.

Vendors	Products
Jenkins	Android Lint

Configuration 1 [-]

cpe:2.3:a:jenkins:android_lint:*:*:*:*:*:jenkins:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-1944	Jenkins Android Lint Plugin 2.6 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.
Github GHSA	GHSA-28x9-hc4p-9vh2	Stored XSS vulnerability in android-lint Plugin

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2020/09/16/3
https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1908

History

No history.

MITRE

Status: PUBLISHED

Assigner: jenkins

Published: 2020-09-16T13:20:43

Updated: 2024-08-04T07:01:41.320Z

Reserved: 2019-12-05T00:00:00

Link: CVE-2020-2262

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-09-16T14:15:13.703

Modified: 2024-11-21T05:25:07.810

Link: CVE-2020-2262

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Jenkins Android Lint Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "2.6", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "unknown", "version": "next of 2.6", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Android Lint Plugin 2.6 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T16:08:06.005Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1908"}, {"name": "[oss-security] 20200916 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2020/09/16/3"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2020-2262", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins Android Lint Plugin", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.6"}, {"version_affected": "?>", "version_value": "2.6"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins Android Lint Plugin 2.6 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1908", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1908"}, {"name": "[oss-security] 20200916 Multiple vulnerabilities in Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2020/09/16/3"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T07:01:41.320Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1908"}, {"name": "[oss-security] 20200916 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2020/09/16/3"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2020-2262", "datePublished": "2020-09-16T13:20:43", "dateReserved": "2019-12-05T00:00:00", "dateUpdated": "2024-08-04T07:01:41.320Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:android_lint:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "2DC92286-7BDA-4E41-8F84-3F94E70D5B80", "versionEndIncluding": "2.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Android Lint Plugin 2.6 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step."}, {"lang": "es", "value": "Jenkins Android Lint Plugin versiones 2.6 y anteriores, no escapa el mensaje de anotaci\u00f3n en tooltips, resultando en una vulnerabilidad de tipo cross-site scripting (XSS) almacenado explotable por atacantes capaces de proporcionar archivos de reportes en el paso posterior a la complicaci\u00f3n del plugin"}], "id": "CVE-2020-2262", "lastModified": "2024-11-21T05:25:07.810", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-16T14:15:13.703", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/09/16/3"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1908"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/09/16/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1908"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}