CVE-2020-2106
MEDIUM5.4EPSS 0.19%Stored XSS vulnerability in Code Coverage API Plugin
發布日:2022/5/24修改日:2024/2/16
描述
Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view. This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the job configuration. Code Coverage API Plugin 1.1.3 escapes the filename of the coverage report used in its view.
受影響套件(1)
- Maven/io.jenkins.plugins:code-coverage-apifrom 0, < 1.1.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-2106
- PATCHhttps://github.com/jenkinsci/code-coverage-api-plugin
- WEBhttps://github.com/jenkinsci/code-coverage-api-plugin/commit/24921da6d625c4deb259049446dc2b45b1da4603
- WEBhttps://jenkins.io/security/advisory/2020-01-29/#SECURITY-1680
- WEBhttp://www.openwall.com/lists/oss-security/2020/01/29/1