2044499 – (CVE-2022-20615) CVE-2022-20615 jenkins-2-plugins/matrix-project: does not escape HTML metacharacters which could result in XSS

Bug 2044499 (CVE-2022-20615) - CVE-2022-20615 jenkins-2-plugins/matrix-project: does not escape HTML metacharacters which could result in XSS

Summary: CVE-2022-20615 jenkins-2-plugins/matrix-project: does not escape HTML metacha...

Keywords:
Status:	NEW
Alias:	CVE-2022-20615
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2044927 2044928 2044929 2047839
Blocks:	2044461
TreeView+	depends on / blocked

Reported:	2022-01-24 17:24 UTC by Michael Kaplan
Modified:	2023-07-07 08:35 UTC (History)
CC List:	10 users (show)
Fixed In Version:	matrix project plugin 1.20
Doc Type:	If docs needed, set a value
Doc Text:	A stored Cross-site scripting (XSS) vulnerability was found in the Jenkins Matrix Project plugin. There are no escape HTML metacharacters in node, label names, and label descriptions, which allows an attacker with Agent/Configure permissions to perform an XSS attack.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Michael Kaplan 2022-01-24 17:24:04 UTC

Jenkins Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

Reference:

https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2017

Note You need to log in before you can comment on or make changes to this bug.