VulnerableCode Package Details - pkg:rpm/redhat/jenkins@2.235.2.1597312065-1?arch=el7

Search for packages

Vulnerability	Summary	Fixed by
VCID-he3v-ysf3-zkb8 Aliases: CVE-2020-2223 GHSA-gfhj-524q-gcrm	Stored XSS vulnerability in Jenkins console links Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the `href` attribute of links to downstream jobs displayed in the build console page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission. Jenkins 2.245, LTS 2.235.2 escapes the `href` attribute of these links.	There are no reported fixed by versions.
VCID-kusb-1k76-a3ck Aliases: CVE-2020-2220 GHSA-qgj4-rc8m-44mq	Stored XSS vulnerability in Jenkins job build time trend Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability. Jenkins 2.245, LTS 2.235.2 escapes the agent name.	There are no reported fixed by versions.
VCID-nqxw-x7ea-aqew Aliases: CVE-2020-2221 GHSA-g4j6-m3m3-crw8	Stored XSS vulnerability in Jenkins upstream cause Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability. Jenkins 2.245, LTS 2.235.2 escapes the job display name.	There are no reported fixed by versions.
VCID-v5aw-ffxe-ckdv Aliases: CVE-2020-2222 GHSA-864v-5q2g-fr64	Stored XSS vulnerability in Jenkins 'keep forever' badge icon Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure job names. As job names do not generally support the character set needed for XSS, this is believed to be difficult to exploit in common configurations. Jenkins 2.245, LTS 2.235.2 escapes the job name in the 'Keep this build forever' badge tooltip.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-he3v-ysf3-zkb8
Aliases:
CVE-2020-2223
GHSA-gfhj-524q-gcrm

Stored XSS vulnerability in Jenkins console links Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the `href` attribute of links to downstream jobs displayed in the build console page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission. Jenkins 2.245, LTS 2.235.2 escapes the `href` attribute of these links.

There are no reported fixed by versions.

VCID-kusb-1k76-a3ck
Aliases:
CVE-2020-2220
GHSA-qgj4-rc8m-44mq

Stored XSS vulnerability in Jenkins job build time trend Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name in the build time trend page, resulting in a stored cross-site scripting vulnerability. Jenkins 2.245, LTS 2.235.2 escapes the agent name.

There are no reported fixed by versions.

VCID-nqxw-x7ea-aqew
Aliases:
CVE-2020-2221
GHSA-g4j6-m3m3-crw8

Stored XSS vulnerability in Jenkins upstream cause Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting vulnerability. Jenkins 2.245, LTS 2.235.2 escapes the job display name.

There are no reported fixed by versions.

VCID-v5aw-ffxe-ckdv
Aliases:
CVE-2020-2222
GHSA-864v-5q2g-fr64

Stored XSS vulnerability in Jenkins 'keep forever' badge icon Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure job names. As job names do not generally support the character set needed for XSS, this is believed to be difficult to exploit in common configurations. Jenkins 2.245, LTS 2.235.2 escapes the job name in the 'Keep this build forever' badge tooltip.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T14:05:47.476104+00:00	RedHat Importer	Affected by	VCID-he3v-ysf3-zkb8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2223.json	38.0.0
2026-04-01T14:05:47.396171+00:00	RedHat Importer	Affected by	VCID-v5aw-ffxe-ckdv	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2222.json	38.0.0
2026-04-01T14:05:47.314473+00:00	RedHat Importer	Affected by	VCID-nqxw-x7ea-aqew	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2221.json	38.0.0
2026-04-01T14:05:47.233404+00:00	RedHat Importer	Affected by	VCID-kusb-1k76-a3ck	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2220.json	38.0.0