Jenkins Multiple Stored XSS and Authorization Flaws (CVE-2020-2220 to 2228)

Vulnerabilities: - SECURITY-1868 / CVE-2020-2220: Stored XSS vulnerability in job build time trend. - SECURITY-1901 / CVE-2020-2221: Stored XSS vulnerability in upstream cause. - SECURITY-1902 / CVE-2020-2222: Stored XSS vulnerability in 'keep forever' badge icons. - SECURITY-1945 / CVE-2020-2223: Stored XSS vulnerability in console links. - SECURITY-1924 / CVE-2020-2224: Stored XSS vulnerability in single axis builds tooltips in Matrix Project Plugin. - SECURITY-1925 / CVE-2020-2225: Stored XSS vulnerability in multiple axis builds tooltips in Matrix Project Plugin. - SECURITY-1909 / CVE-2020-2226: Stored XSS vulnerability in Matrix Authorization Strategy Plugin. - SECURITY-1915 / CVE-2020-2227: Stored XSS vulnerability in Deployer Framework Plugin. - SECURITY-1792 / CVE-2020-2228: Improper authorization of users and groups with the same base name in GitLab Authentication Plugin. Severity: All vulnerabilities have a CVSS rating of High. Affected Versions: - Jenkins weekly up to and including 2.244 - Jenkins LTS up to and including 2.235.1 - Deployer Framework Plugin up to and including 1.2 - GitLab Authentication Plugin up to and including 1.5 - Matrix Authorization Strategy Plugin up to and including 2.6.1 - Matrix Project Plugin up to and including 1.16 Fix: - Jenkins weekly should be updated to version 2.245 - Jenkins LTS should be updated to version 2.235.2 - Deployer Framework Plugin should be updated to version 1.3 - GitLab Authentication Plugin should be updated to version 1.6 - Matrix Authorization Strategy Plugin should be updated to version 2.6.2 - Matrix Project Plugin should be updated to version 1.17 Credit: The Jenkins project thanks the reporters for discovering and reporting these vulnerabilities.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Multiple Stored XSS and Authorization Flaws (CVE-2020-2220 to 2228)