Jenkins Matrix Project Plugin prior to 1.20 and 1.18.1 does not escape HTML metacharacters in node and label names, and label descriptions.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
Matrix Project Plugin 1.20 and 1.18.1 escapes HTML metacharacters in node and label names, and label descriptions.
www.openwall.com/lists/oss-security/2022/01/12/6
github.com/CVEProject/cvelist/blob/2d78eb36f4d084db7fb35f1535d8d84fdcb7d859/2022/20xxx/CVE-2022-20615.json
github.com/jenkinsci/matrix-project-plugin
github.com/jenkinsci/matrix-project-plugin/commit/78cc60556304965ffb2dd8c017bf61d4f153f5ea
nvd.nist.gov/vuln/detail/CVE-2022-20615
www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2017
www.oracle.com/security-alerts/cpuapr2022.html