{"id":"GHSA-864v-5q2g-fr64","summary":"Stored XSS vulnerability in Jenkins 'keep forever' badge icon","details":"Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure job names.\n\nAs job names do not generally support the character set needed for XSS, this is believed to be difficult to exploit in common configurations.\n\nJenkins 2.245, LTS 2.235.2 escapes the job name in the 'Keep this build forever' badge tooltip.","aliases":["BIT-jenkins-2020-2222","CVE-2020-2222"],"modified":"2024-02-16T08:11:17.023114Z","published":"2022-05-24T17:23:39Z","database_specific":{"cwe_ids":["CWE-79"],"nvd_published_at":"2020-07-15T18:15:00Z","severity":"HIGH","github_reviewed":true,"github_reviewed_at":"2022-06-24T00:54:30Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-2222"},{"type":"WEB","url":"https://github.com/jenkinsci/jenkins/commit/e7443ef2ef255253231f3f1db0034fae39f0cba5"},{"type":"PACKAGE","url":"https://github.com/jenkinsci/jenkins"},{"type":"WEB","url":"https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1902"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2020/07/15/5"}],"affected":[{"package":{"name":"org.jenkins-ci.main:jenkins-core","ecosystem":"Maven","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.235.2"}]}],"versions":["1.396","1.397","1.398","1.399","1.400","1.401","1.403","1.404","1.405","1.406","1.407","1.408","1.409","1.409.1","1.409.2","1.409.3","1.410","1.411","1.412","1.413","1.414","1.415","1.416","1.417","1.418","1.419","1.420","1.421","1.422","1.423","1.424","1.424.1","1.424.2","1.424.3","1.424.4","1.424.5","1.424.6","1.425","1.426","1.427","1.428","1.429","1.430","1.431","1.432","1.433","1.434","1.435","1.436","1.437","1.438","1.439","1.440","1.441","1.442","1.443","1.444","1.445","1.446","1.447","1.447.1","1.447.2","1.448","1.449","1.450","1.451","1.452","1.453","1.454","1.455","1.456","1.457","1.458","1.459","1.460","1.461","1.462","1.463","1.464","1.465","1.466","1.466.1","1.466.2","1.467","1.468","1.469","1.470","1.471","1.472","1.473","1.474","1.475","1.476","1.477","1.478","1.479","1.480","1.480.1","1.480.2","1.480.3","1.481","1.482","1.483","1.484","1.485","1.486","1.487","1.488","1.489","1.490","1.491","1.492","1.493","1.494","1.495","1.496","1.497","1.498","1.499","1.500","1.501","1.502","1.503","1.504","1.505","1.506","1.507","1.508","1.509","1.509.1","1.509.2","1.509.2.JENKINS-14362-jzlib","1.509.2.JENKINS-8856-diag","1.509.3","1.509.3.JENKINS-14362-jzlib","1.509.4","1.510","1.511","1.512","1.513","1.514","1.515","1.516","1.516.JENKINS-14362-jzlib","1.517","1.518","1.518.JENKINS-14362-jzlib","1.519","1.520","1.521","1.522","1.523","1.524","1.525","1.526","1.527","1.528","1.529","1.530","1.531","1.532","1.532.1","1.532.1.JENKINS-19453","1.532.2","1.532.2.JENKINS-21622-diag","1.532.2.JENKINS-22395-diag","1.532.3","1.532.3.JENKINS-22395","1.532.3.JENKINS-22395-2","1.533","1.534","1.535","1.536","1.537","1.538","1.539","1.540","1.541","1.542","1.543","1.544","1.545","1.546","1.547","1.548","1.549","1.550","1.551","1.552","1.553","1.554","1.554.1","1.554.2","1.554.3","1.554.3.JENKINS-18065-ALLRM-all","1.554.3.JENKINS-18065-JENKINS-23945","1.555","1.556","1.557","1.558","1.559","1.560","1.561","1.562","1.563","1.564","1.565","1.565.1","1.565.1.JENKINS-22395-dropLinks","1.565.2","1.565.3","1.566","1.567","1.568","1.569","1.570","1.571","1.572","1.573","1.574","1.575","1.576","1.577","1.578","1.579","1.580","1.580.1","1.580.2","1.580.3","1.581","1.582","1.583","1.584","1.585","1.586","1.587","1.588","1.589","1.590","1.591","1.592","1.593","1.594","1.595","1.596","1.596.1","1.596.2","1.596.3","1.597","1.598","1.599","1.600","1.601","1.602","1.604","1.605","1.606","1.607","1.608","1.609","1.609.1","1.609.2","1.609.3","1.610","1.611","1.612","1.613","1.614","1.615","1.616","1.617","1.618","1.619","1.620","1.621","1.622","1.623","1.624","1.625","1.625.1","1.625.2","1.625.3","1.626","1.627","1.628","1.629","1.630","1.631","1.632","1.633","1.634","1.635","1.636","1.637","1.638","1.639","1.640","1.641","1.642","1.642.1","1.642.2","1.642.3","1.642.4","1.643","1.644","1.645","1.646","1.647","1.648","1.649","1.650","1.651","1.651.1","1.651.2","1.651.3","1.652","1.653","1.654","1.655","1.656","1.657","1.658","2.0","2.0-alpha-1","2.0-alpha-2","2.0-alpha-3","2.0-alpha-4","2.0-beta-1","2.0-beta-2","2.0-rc-1","2.1","2.10","2.100","2.101","2.102","2.103","2.104","2.105","2.106","2.107","2.107.1","2.107.2","2.107.3","2.108","2.109","2.11","2.110","2.111","2.112","2.113","2.114","2.115","2.116","2.117","2.118","2.119","2.12","2.120","2.121","2.121.1","2.121.2","2.121.3","2.122","2.123","2.124","2.125","2.126","2.127","2.128","2.129","2.13","2.130","2.131","2.132","2.133","2.134","2.135","2.136","2.137","2.138","2.138.1","2.138.2","2.138.3","2.138.4","2.14","2.140","2.141","2.142","2.143","2.144","2.145","2.146","2.147","2.148","2.149","2.15","2.150","2.150.1","2.150.2","2.150.3","2.151","2.152","2.153","2.154","2.155","2.156","2.157","2.158","2.159","2.16","2.160","2.161","2.162","2.163","2.164","2.164.1","2.164.2","2.164.3","2.165","2.166","2.167","2.168","2.169","2.17","2.170","2.171","2.172","2.173","2.174","2.175","2.176","2.176.1","2.176.2","2.176.3","2.176.4","2.177","2.178","2.179","2.18","2.180","2.181","2.182","2.183","2.184","2.185","2.186","2.187","2.189","2.19","2.19.1","2.19.2","2.19.3","2.19.4","2.190","2.190.1","2.190.2","2.190.3","2.191","2.192","2.193","2.194","2.195","2.196","2.197","2.198","2.199","2.2","2.20","2.200","2.201","2.202","2.203","2.204","2.204.1","2.204.2","2.204.3","2.204.4","2.204.5","2.204.6","2.205","2.206","2.207","2.208","2.209","2.21","2.210","2.211","2.212","2.213","2.214","2.215","2.216","2.217","2.218","2.219","2.22","2.220","2.221","2.222","2.222.1","2.222.3","2.222.4","2.223","2.224","2.225","2.226","2.227","2.228","2.229","2.23","2.230","2.231","2.232","2.233","2.234","2.235","2.235.1","2.24","2.25","2.26","2.27","2.28","2.29","2.3","2.30","2.31","2.32","2.32.1","2.32.2","2.32.3","2.33","2.34","2.35","2.36","2.37","2.38","2.39","2.4","2.40","2.41","2.42","2.43","2.44","2.45","2.46","2.46.1","2.46.2","2.46.3","2.47","2.48","2.49","2.5","2.50","2.51","2.52","2.53","2.54","2.55","2.56","2.57","2.58","2.59","2.6","2.60","2.60.1","2.60.2","2.60.3","2.61","2.62","2.63","2.64","2.65","2.66","2.67","2.68","2.69","2.7","2.7.1","2.7.2","2.7.3","2.7.4","2.70","2.71","2.72","2.73","2.73.1","2.73.2","2.73.3","2.74","2.75","2.76","2.77","2.78","2.79","2.8","2.80","2.81","2.82","2.83","2.84","2.85","2.86","2.87","2.88","2.89","2.89.1","2.89.2","2.89.3","2.89.4","2.9","2.90","2.91","2.92","2.93","2.94","2.95","2.96","2.97","2.98","2.99"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-864v-5q2g-fr64/GHSA-864v-5q2g-fr64.json","last_known_affected_version_range":"\u003c= 2.235.1"}},{"package":{"name":"org.jenkins-ci.main:jenkins-core","ecosystem":"Maven","purl":"pkg:maven/org.jenkins-ci.main/jenkins-core"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.236"},{"fixed":"2.245"}]}],"versions":["2.236","2.237","2.238","2.239","2.240","2.241","2.242","2.243","2.244"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-864v-5q2g-fr64/GHSA-864v-5q2g-fr64.json","last_known_affected_version_range":"\u003c= 2.244"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}]}