CVE-2020-2137 — Stored XSS vulnerability in Jenkins Timestamper Plugin

描述

Timestamper Plugin 1.11.1 and earlier does not escape or sanitize the HTML formatting used to display the timestamps in console output for builds. This results in a stored cross-site scripting vulnerability that can be exploited by users with Overall/Administer permission. Timestamper Plugin 1.11.2 sanitizes the HTML formatting for timestamps and only allows basic, safe HTML formatting.

如何修補 CVE-2020-2137

要修補 CVE-2020-2137,請將受影響套件升級到下列已修補版本。

—升級至 1.11.2 或更新版本

CVE-2020-2137 正在被利用嗎?

低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 1.11.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

參考連結(5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2137
PATCHgithub.com/jenkinsci/timestamper-plugin
WEBgithub.com/jenkinsci/timestamper-plugin/commit/6637c3e599c330e03251005675beeadb46d8495b
WEBjenkins.io/security/advisory/2020-03-09/#SECURITY-1784