1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-1976

[JENKINS:SECURITY-1976] Stored XSS vulnerability in upstream cause in `pipeline-maven`

Severity High
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

pipeline-maven 3.9.2 and earlier does not escape the upstream job's display name shown as part of a build cause.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

pipeline-maven 3.9.3 escapes upstream job names in build causes.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/pipeline-maven <= 3.9.2
pkg:github/jenkinsci/pipeline-maven-plugin <= 3.9.2
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/pipeline-maven = 3.9.3
pkg:github/jenkinsci/pipeline-maven-plugin = 3.9.3
ID
JENKINS:SECURITY-1976
Severity
high
Published
2020-09-16T00:00:00
(4 years ago)
Modified
2020-09-16T00:00:00
(4 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository pipeline-maven repository https://github.com/jenkinsci/pipeline-maven-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/pipeline-maven org.jenkins-ci.plugins pipeline-maven <= 3.9.2
Fixed pkg:maven/org.jenkins-ci.plugins/pipeline-maven org.jenkins-ci.plugins pipeline-maven = 3.9.3
Affected pkg:github/jenkinsci/pipeline-maven-plugin jenkinsci pipeline-maven-plugin <= 3.9.2
Fixed pkg:github/jenkinsci/pipeline-maven-plugin jenkinsci pipeline-maven-plugin = 3.9.3
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date