GoogleOSV:GHSA-VQWG-4V6F-H6X5Stored XSS vulnerability in Matrix Project Plugin
EPSS
Percentile
32.7%
Jenkins Matrix Project Plugin prior to 1.20 and 1.18.1 does not escape HTML metacharacters in node and label names, and label descriptions.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
Matrix Project Plugin 1.20 and 1.18.1 escapes HTML metacharacters in node and label names, and label descriptions.
References
www.openwall.com/lists/oss-security/2022/01/12/6
github.com/CVEProject/cvelist/blob/2d78eb36f4d084db7fb35f1535d8d84fdcb7d859/2022/20xxx/CVE-2022-20615.json
github.com/jenkinsci/matrix-project-plugin
github.com/jenkinsci/matrix-project-plugin/commit/78cc60556304965ffb2dd8c017bf61d4f153f5ea
nvd.nist.gov/vuln/detail/CVE-2022-20615
www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2017
www.oracle.com/security-alerts/cpuapr2022.html
Related
