VulnerableCode Package Details - pkg:rpm/redhat/jenkins-2-plugins@4.3.1601981312-1?arch=el7

Search for packages

Vulnerability	Summary	Fixed by
VCID-cnub-whtt-c7ej Aliases: CVE-2020-2224 GHSA-h6qc-455m-7v6v	Stored XSS vulnerability in single axis builds tooltips in Jenkins Matrix Project Plugin Matrix Project Plugin 1.16 and earlier does not escape node names shown in tooltips on the overview page of builds with a single axis. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Agent/Configure permission. Matrix Project Plugin 1.17 escapes the node names shown in these tooltips.	There are no reported fixed by versions.
VCID-f1w8-m5ur-sbfk Aliases: CVE-2020-2181 GHSA-43j2-r4v3-m8jp	Secrets are not masked by Jenkins Credentials Binding Plugin in builds without build steps Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps. Jenkins Credentials Binding Plugin 1.23 now masks secrets when the build contains no build steps.	There are no reported fixed by versions.
VCID-gphv-efsc-57ef Aliases: CVE-2020-2226 GHSA-vr6v-wjfw-rxcr	Stored XSS vulnerability in Jenkins Matrix Authorization Strategy Plugin Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape user names shown in the permission table. This results in a stored cross-site scripting (XSS) vulnerability. When using project-based matrix authorization, this vulnerability can be exploited by a user with Job/Configure or Agent/Configure permission, otherwise by users with Overall/Administer permission. Matrix Authorization Strategy Plugin 2.6.2 escapes user names in the permission table.	There are no reported fixed by versions.
VCID-js1p-kbgy-6be8 Aliases: CVE-2020-2225 GHSA-w43x-5f8f-686p	Stored XSS vulnerability in multiple axis builds tooltips in Jenkins Matrix Project Plugin Matrix Project Plugin 1.16 and earlier does not escape the axis names shown in tooltips on the overview page of builds with multiple axes. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission. Matrix Project Plugin 1.17 escapes the axis names shown in these tooltips.	There are no reported fixed by versions.
VCID-u1n4-5c5f-5bfx Aliases: CVE-2020-2182 GHSA-7ff8-qfwx-8gx5	Improper masking of some secrets in Jenkins Credentials Binding Plugin Credentials Binding Plugin allows specifying passwords and other secrets as environment variables, and will hide them from console output in builds. As a side effect of the fix for [SECURITY-698](https://www.jenkins.io/security/advisory/2018-02-05/#credentials-binding), `$` characters in secrets are escaped to `$$`. This will then be expanded to $ again once the secret is passed to (post) build steps. Credentials Binding Plugin 1.22 and earlier does not mask the escaped form of the secret (containing `$$`). This occurs for example in the \"Execute Maven top-level targets\" build step included in Jenkins.\n\nCredentials Binding Plugin 1.23 now masks secrets both in their original form and with escaped `$` characters, so they will be masked even if printed before value expansion.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-cnub-whtt-c7ej
Aliases:
CVE-2020-2224
GHSA-h6qc-455m-7v6v

Stored XSS vulnerability in single axis builds tooltips in Jenkins Matrix Project Plugin Matrix Project Plugin 1.16 and earlier does not escape node names shown in tooltips on the overview page of builds with a single axis. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Agent/Configure permission. Matrix Project Plugin 1.17 escapes the node names shown in these tooltips.