CVE-2020-2201 — Stored XSS vulnerability in Jenkins Sonargraph Integration Plugin

Description

Sonargraph Integration Plugin 3.0.0 and earlier does not escape the file path for the Log file field form validation. This results in a stored cross-site scripting (XSS) vulnerability that can be exploited by users with Job/Configure permission. Sonargraph Integration Plugin 3.0.1 escapes the affected part of the error message.

How to fix CVE-2020-2201

To remediate CVE-2020-2201, upgrade the affected package to a fixed version below.

—upgrade to 3.0.1 or later

Is CVE-2020-2201 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.0.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2201
PATCHgithub.com/jenkinsci/sonargraph-integration-plugin
WEBjenkins.io/security/advisory/2020-07-02/#SECURITY-1775
WEBwww.openwall.com/lists/oss-security/2020/07/02/7