CVE-2020-2244 — XSS vulnerability in Jenkins Build Failure Analyzer Plugin

Description

Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications. Build Failure Analyzer Plugin 1.27.1 escapes matching text in the affected form validation response.

How to fix CVE-2020-2244

To remediate CVE-2020-2244, upgrade the affected package to a fixed version below.

—upgrade to 1.27.1 or later

Is CVE-2020-2244 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.27.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2244
PATCHgithub.com/jenkinsci/build-failure-analyzer-plugin
WEBgithub.com/jenkinsci/build-failure-analyzer-plugin/commit/c974938f213df0109269cb1b4508b8a1ec19f0ff
WEBjenkins.io/security/advisory/2020-09-01/#SECURITY-1770