CVE-2020-2227 — Stored XSS vulnerability in Jenkins Deployer Framework Plugin

Description

Deployer Framework Plugin is a framework plugin allowing other plugins to provide a way to deploy artifacts. Deployer Framework Plugin 1.2 and earlier does not escape the URL displayed in the build home page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to provide the location. The exploitability of this vulnerability depends on the specific implementation using Deployer Framework Plugin. The Jenkins security team is not aware of any exploitable implementation. Deployer Framework Plugin 1.3 escapes the URL.

How to fix CVE-2020-2227

To remediate CVE-2020-2227, upgrade the affected package to a fixed version below.

—upgrade to 1.3 or later

Is CVE-2020-2227 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2227
PATCHgithub.com/jenkinsci/deployer-framework-plugin
WEBgithub.com/jenkinsci/deployer-framework-plugin/commit/8fa2e16bce85ec1b93be60102d7cfb5153876e83
WEBjenkins.io/security/advisory/2020-07-15/#SECURITY-1915