Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the href attribute of links to downstream jobs displayed in the build console page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission. References: https://www.jenkins.io/security/advisory/2020-07-15/
Created jenkins tracking bugs for this issue: Affects: fedora-all [bug 1857434]
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:3519 https://access.redhat.com/errata/RHSA-2020:3519
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-2223
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:3541 https://access.redhat.com/errata/RHSA-2020:3541
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:3808 https://access.redhat.com/errata/RHSA-2020:3808