CVE-2020-2257 — Stored XSS vulnerability in Validating String Parameter Plugin

Description

Validating String Parameter Plugin 2.4 and earlier does not escape regular expressions in tooltips. Additionally, Validating String Parameter Plugin 2.4 does not escape parameter names and parameter descriptions. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. Validating String Parameter Plugin 2.5 escapes regular expressions in tooltips and parameter names. Parameter descriptions are rendered using the configured markup formatter.

How to fix CVE-2020-2257

To remediate CVE-2020-2257, upgrade the affected package to a fixed version below.

—upgrade to 2.5 or later

Is CVE-2020-2257 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2257
PATCHgithub.com/jenkinsci/validating-string-parameter-plugin
WEBgithub.com/jenkinsci/validating-string-parameter-plugin/commit/345a79d830a5fcd824a3c755506a438c78c48117
WEBwww.jenkins.io/security/advisory/2020-09-16/#SECURITY-1935