CVE-2020-2137 — Stored XSS vulnerability in Jenkins Timestamper Plugin

Description

Timestamper Plugin 1.11.1 and earlier does not escape or sanitize the HTML formatting used to display the timestamps in console output for builds. This results in a stored cross-site scripting vulnerability that can be exploited by users with Overall/Administer permission. Timestamper Plugin 1.11.2 sanitizes the HTML formatting for timestamps and only allows basic, safe HTML formatting.

How to fix CVE-2020-2137

To remediate CVE-2020-2137, upgrade the affected package to a fixed version below.

—upgrade to 1.11.2 or later

Is CVE-2020-2137 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.11.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2137
PATCHgithub.com/jenkinsci/timestamper-plugin
WEBgithub.com/jenkinsci/timestamper-plugin/commit/6637c3e599c330e03251005675beeadb46d8495b
WEBjenkins.io/security/advisory/2020-03-09/#SECURITY-1784