CVE-2020-2222
Stored XSS vulnerability in Jenkins 'keep forever' badge icon
8.0
HIGH
CVSS 3.1
EPSS 0.30%
Description
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure job names. As job names do not generally support the character set needed for XSS, this is believed to be difficult to exploit in common configurations. Jenkins 2.245, LTS 2.235.2 escapes the job name in the 'Keep this build forever' badge tooltip.
How to fix CVE-2020-2222
To remediate CVE-2020-2222, upgrade the affected package to a fixed version below.
- —upgrade to 2.244.1 or later
- —upgrade to 2.235.2 or later
Is CVE-2020-2222 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.244.1
- from 0, < 2.235.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.0 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |