CVE-2020-2190 — Improper Neutralization of Input During Web Page Generation in Jenkins Script Se

Description

Jenkins Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page, resulting in a stored cross-site scripting vulnerability.

How to fix CVE-2020-2190

To remediate CVE-2020-2190, upgrade the affected package to a fixed version below.

—upgrade to 1.73 or later

Is CVE-2020-2190 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.73

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2190
WEBgithub.com/jenkinsci/script-security-plugin/commit/99e6ac0df5fe0f0cc6c2a695f7c1f845279bedbd
WEBjenkins.io/security/advisory/2020-06-03/#SECURITY-1866
WEBwww.openwall.com/lists/oss-security/2020/06/03/3