VulnerableCode Package Details - pkg:maven/org.jenkins-ci.main/jenkins-core@2.235.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-he3v-ysf3-zkb8 Aliases: CVE-2020-2223 GHSA-gfhj-524q-gcrm	Stored XSS vulnerability in Jenkins console links Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the `href` attribute of links to downstream jobs displayed in the build console page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission. Jenkins 2.245, LTS 2.235.2 escapes the `href` attribute of these links.	2.235.2 Affected by 0 other vulnerabilities. 2.245 Affected by 0 other vulnerabilities.
VCID-kusb-1k76-a3ck Aliases: CVE-2020-2220 GHSA-qgj4-rc8m-44mq	Stored XSS vulnerability in Jenkins job build time trend Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability. Jenkins 2.245, LTS 2.235.2 escapes the agent name.	2.235.2 Affected by 0 other vulnerabilities. 2.245 Affected by 0 other vulnerabilities.
VCID-nqxw-x7ea-aqew Aliases: CVE-2020-2221 GHSA-g4j6-m3m3-crw8	Stored XSS vulnerability in Jenkins upstream cause Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability. Jenkins 2.245, LTS 2.235.2 escapes the job display name.	2.235.2 Affected by 0 other vulnerabilities. 2.245 Affected by 0 other vulnerabilities.
VCID-v5aw-ffxe-ckdv Aliases: CVE-2020-2222 GHSA-864v-5q2g-fr64	Stored XSS vulnerability in Jenkins 'keep forever' badge icon Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure job names. As job names do not generally support the character set needed for XSS, this is believed to be difficult to exploit in common configurations. Jenkins 2.245, LTS 2.235.2 escapes the job name in the 'Keep this build forever' badge tooltip.	2.235.2 Affected by 0 other vulnerabilities. 2.245 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-he3v-ysf3-zkb8
Aliases:
CVE-2020-2223
GHSA-gfhj-524q-gcrm

Stored XSS vulnerability in Jenkins console links Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the `href` attribute of links to downstream jobs displayed in the build console page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission. Jenkins 2.245, LTS 2.235.2 escapes the `href` attribute of these links.

2.235.2
Affected by 0 other vulnerabilities.

2.245
Affected by 0 other vulnerabilities.

VCID-kusb-1k76-a3ck
Aliases:
CVE-2020-2220
GHSA-qgj4-rc8m-44mq

Stored XSS vulnerability in Jenkins job build time trend Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability. Jenkins 2.245, LTS 2.235.2 escapes the agent name.

2.235.2
Affected by 0 other vulnerabilities.

2.245
Affected by 0 other vulnerabilities.

VCID-nqxw-x7ea-aqew
Aliases:
CVE-2020-2221
GHSA-g4j6-m3m3-crw8

Stored XSS vulnerability in Jenkins upstream cause Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability. Jenkins 2.245, LTS 2.235.2 escapes the job display name.

2.235.2
Affected by 0 other vulnerabilities.

2.245
Affected by 0 other vulnerabilities.

VCID-v5aw-ffxe-ckdv
Aliases:
CVE-2020-2222
GHSA-864v-5q2g-fr64

Stored XSS vulnerability in Jenkins 'keep forever' badge icon Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure job names. As job names do not generally support the character set needed for XSS, this is believed to be difficult to exploit in common configurations. Jenkins 2.245, LTS 2.235.2 escapes the job name in the 'Keep this build forever' badge tooltip.

2.235.2
Affected by 0 other vulnerabilities.

2.245
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-04T14:32:40.589821+00:00	GHSA Importer	Affected by	VCID-v5aw-ffxe-ckdv	https://github.com/advisories/GHSA-864v-5q2g-fr64	38.1.0
2026-04-04T14:32:40.370648+00:00	GHSA Importer	Affected by	VCID-he3v-ysf3-zkb8	https://github.com/advisories/GHSA-gfhj-524q-gcrm	38.1.0
2026-04-04T14:32:40.309045+00:00	GHSA Importer	Affected by	VCID-kusb-1k76-a3ck	https://github.com/advisories/GHSA-qgj4-rc8m-44mq	38.1.0
2026-04-04T14:32:40.275933+00:00	GHSA Importer	Affected by	VCID-nqxw-x7ea-aqew	https://github.com/advisories/GHSA-g4j6-m3m3-crw8	38.1.0