VulnerableCode Package Details - pkg:maven/org.jenkins-ci.main/jenkins-core@2.228

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-9c49-hb3u-n7dq	Cross-Site Request Forgery in Jenkins An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Implementations of that extension point received a different representation of the URL path than the Stapler web framework uses to dispatch requests in Jenkins 2.227 and earlier, LTS 2.204.5 and earlier. This discrepancy allowed attackers to craft URLs that would bypass the CSRF protection of any target URL. Jenkins now uses the same representation of the URL path to decide whether CSRF protection is needed for a given URL as the Stapler web framework uses. In case of problems, administrators can disable this security fix by setting the system property `hudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO` to `true`. As an additional safeguard, semicolon (`;`) characters in the path part of a URL are now banned by default. Administrators can disable this protection by setting the system property `jenkins.security.SuspiciousRequestFilter.allowSemicolonsInPath` to `true`.	CVE-2020-2160 GHSA-c735-g9f2-2mvp
VCID-np2j-5nvn-3fcv	jenkins: XSS in job configuration pages	CVE-2020-2161 GHSA-g8pg-qrvm-wgh2
VCID-ttg3-j174-8yev	Improper Neutralization of Input During Web Page Generation in Jenkins Jenkins 2.227 and earlier, LTS 2.204.5 and earlier served files uploaded as file parameters to a build without specifying appropriate `Content-Security-Policy HTTP` headers. This resulted in a stored cross-site scripting (XSS) vulnerability exploitable by users with permissions to build a job with file parameters.\n\nJenkins now sets `Content-Security-Policy` HTTP headers when serving files uploaded via a file parameter to the same value as used for files in workspaces and archived artifacts not served using the Resource Root URL.\n\nThe system property `hudson.model.DirectoryBrowserSupport.CSP` can be set to override the value of `Content-Security-Policy` headers sent when serving these files. This is the same system property used for files in workspaces and archived artifacts unless those are served via the [Resource Root URL](https://www.jenkins.io/doc/upgrade-guide/2.204/#resource-domain-support) and works the same way for file parameters. See [Configuring Content Security Policy](https://www.jenkins.io/doc/book/security/configuring-content-security-policy) to learn more.\n\nEven when Jenkins is configured to serve files in workspaces and archived artifacts using the Resource Root URL (introduced in Jenkins 2.200), file parameters are not, and therefore still subject to `Content-Security-Policy` restrictions.	CVE-2020-2162 GHSA-crg2-6xv3-qg5f
VCID-znwy-pe3s-x3ay	jenkins: improperly processes HTML content of list leads to XSS	CVE-2020-2163 GHSA-2xcm-h7vv-g8m9

Vulnerability

Summary

Aliases

VCID-9c49-hb3u-n7dq

Cross-Site Request Forgery in Jenkins An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Implementations of that extension point received a different representation of the URL path than the Stapler web framework uses to dispatch requests in Jenkins 2.227 and earlier, LTS 2.204.5 and earlier. This discrepancy allowed attackers to craft URLs that would bypass the CSRF protection of any target URL. Jenkins now uses the same representation of the URL path to decide whether CSRF protection is needed for a given URL as the Stapler web framework uses. In case of problems, administrators can disable this security fix by setting the system property `hudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO` to `true`. As an additional safeguard, semicolon (`;`) characters in the path part of a URL are now banned by default. Administrators can disable this protection by setting the system property `jenkins.security.SuspiciousRequestFilter.allowSemicolonsInPath` to `true`.

CVE-2020-2160
GHSA-c735-g9f2-2mvp

VCID-np2j-5nvn-3fcv

jenkins: XSS in job configuration pages

CVE-2020-2161
GHSA-g8pg-qrvm-wgh2

VCID-ttg3-j174-8yev

Improper Neutralization of Input During Web Page Generation in Jenkins Jenkins 2.227 and earlier, LTS 2.204.5 and earlier served files uploaded as file parameters to a build without specifying appropriate `Content-Security-Policy HTTP` headers. This resulted in a stored cross-site scripting (XSS) vulnerability exploitable by users with permissions to build a job with file parameters.\n\nJenkins now sets `Content-Security-Policy` HTTP headers when serving files uploaded via a file parameter to the same value as used for files in workspaces and archived artifacts not served using the Resource Root URL.\n\nThe system property `hudson.model.DirectoryBrowserSupport.CSP` can be set to override the value of `Content-Security-Policy` headers sent when serving these files. This is the same system property used for files in workspaces and archived artifacts unless those are served via the [Resource Root URL](https://www.jenkins.io/doc/upgrade-guide/2.204/#resource-domain-support) and works the same way for file parameters. See [Configuring Content Security Policy](https://www.jenkins.io/doc/book/security/configuring-content-security-policy) to learn more.\n\nEven when Jenkins is configured to serve files in workspaces and archived artifacts using the Resource Root URL (introduced in Jenkins 2.200), file parameters are not, and therefore still subject to `Content-Security-Policy` restrictions.

CVE-2020-2162
GHSA-crg2-6xv3-qg5f

VCID-znwy-pe3s-x3ay

jenkins: improperly processes HTML content of list leads to XSS

CVE-2020-2163
GHSA-2xcm-h7vv-g8m9

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-04T14:32:32.399056+00:00	GHSA Importer	Fixing	VCID-np2j-5nvn-3fcv	https://github.com/advisories/GHSA-g8pg-qrvm-wgh2	38.1.0
2026-04-04T14:32:32.275226+00:00	GHSA Importer	Fixing	VCID-9c49-hb3u-n7dq	https://github.com/advisories/GHSA-c735-g9f2-2mvp	38.1.0
2026-04-04T14:32:32.125717+00:00	GHSA Importer	Fixing	VCID-ttg3-j174-8yev	https://github.com/advisories/GHSA-crg2-6xv3-qg5f	38.1.0
2026-04-04T14:32:32.090584+00:00	GHSA Importer	Fixing	VCID-znwy-pe3s-x3ay	https://github.com/advisories/GHSA-2xcm-h7vv-g8m9	38.1.0
2026-04-02T12:36:34.570236+00:00	GitLab Importer	Fixing	VCID-np2j-5nvn-3fcv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.main/jenkins-core/CVE-2020-2161.yml	38.0.0
2026-04-02T12:36:34.356645+00:00	GitLab Importer	Fixing	VCID-9c49-hb3u-n7dq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.main/jenkins-core/CVE-2020-2160.yml	38.0.0
2026-04-02T12:36:34.238150+00:00	GitLab Importer	Fixing	VCID-znwy-pe3s-x3ay	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.main/jenkins-core/CVE-2020-2163.yml	38.0.0
2026-04-02T12:36:34.205533+00:00	GitLab Importer	Fixing	VCID-ttg3-j174-8yev	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.main/jenkins-core/CVE-2020-2162.yml	38.0.0
2026-04-01T13:12:00.374160+00:00	GithubOSV Importer	Fixing	VCID-ttg3-j174-8yev	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-crg2-6xv3-qg5f/GHSA-crg2-6xv3-qg5f.json	38.0.0
2026-04-01T13:10:55.413232+00:00	GithubOSV Importer	Fixing	VCID-9c49-hb3u-n7dq	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-c735-g9f2-2mvp/GHSA-c735-g9f2-2mvp.json	38.0.0