CVE-2020-2257 — Stored XSS vulnerability in Validating String Parameter Plugin

描述

Validating String Parameter Plugin 2.4 and earlier does not escape regular expressions in tooltips. Additionally, Validating String Parameter Plugin 2.4 does not escape parameter names and parameter descriptions. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. Validating String Parameter Plugin 2.5 escapes regular expressions in tooltips and parameter names. Parameter descriptions are rendered using the configured markup formatter.

如何修補 CVE-2020-2257

要修補 CVE-2020-2257,請將受影響套件升級到下列已修補版本。

—升級至 2.5 或更新版本

CVE-2020-2257 正在被利用嗎?

低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 2.5

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

參考連結(5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2257
PATCHgithub.com/jenkinsci/validating-string-parameter-plugin
WEBgithub.com/jenkinsci/validating-string-parameter-plugin/commit/345a79d830a5fcd824a3c755506a438c78c48117
WEBwww.jenkins.io/security/advisory/2020-09-16/#SECURITY-1935