Fedora Account System
Red Hat Associate
Red Hat Customer
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the href attribute of links to downstream jobs displayed in the build console page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission. References: https://www.jenkins.io/security/advisory/2020-07-15/
Created jenkins tracking bugs for this issue: Affects: fedora-all [bug 1857434]
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:3519 https://access.redhat.com/errata/RHSA-2020:3519
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-2223
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:3541 https://access.redhat.com/errata/RHSA-2020:3541
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:3808 https://access.redhat.com/errata/RHSA-2020:3808