CVE-2020-2106 — Stored XSS vulnerability in Code Coverage API Plugin

Description

Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view. This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the job configuration. Code Coverage API Plugin 1.1.3 escapes the filename of the coverage report used in its view.

How to fix CVE-2020-2106

To remediate CVE-2020-2106, upgrade the affected package to a fixed version below.

—upgrade to 1.1.3 or later

Is CVE-2020-2106 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.1.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2106
PATCHgithub.com/jenkinsci/code-coverage-api-plugin
WEBgithub.com/jenkinsci/code-coverage-api-plugin/commit/24921da6d625c4deb259049446dc2b45b1da4603
WEBjenkins.io/security/advisory/2020-01-29/#SECURITY-1680