VulnerableCode Package Details - pkg:rpm/redhat/openshift-ansible@4.4.0-202006061254.git.1.a996454?arch=el7

Search for packages

Vulnerability	Summary	Fixed by
VCID-9c49-hb3u-n7dq Aliases: CVE-2020-2160 GHSA-c735-g9f2-2mvp	Cross-Site Request Forgery in Jenkins An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Implementations of that extension point received a different representation of the URL path than the Stapler web framework uses to dispatch requests in Jenkins 2.227 and earlier, LTS 2.204.5 and earlier. This discrepancy allowed attackers to craft URLs that would bypass the CSRF protection of any target URL. Jenkins now uses the same representation of the URL path to decide whether CSRF protection is needed for a given URL as the Stapler web framework uses. In case of problems, administrators can disable this security fix by setting the system property `hudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO` to `true`. As an additional safeguard, semicolon (`;`) characters in the path part of a URL are now banned by default. Administrators can disable this protection by setting the system property `jenkins.security.SuspiciousRequestFilter.allowSemicolonsInPath` to `true`.	There are no reported fixed by versions.
VCID-np2j-5nvn-3fcv Aliases: CVE-2020-2161 GHSA-g8pg-qrvm-wgh2	jenkins: XSS in job configuration pages	There are no reported fixed by versions.
VCID-ttg3-j174-8yev Aliases: CVE-2020-2162 GHSA-crg2-6xv3-qg5f	Improper Neutralization of Input During Web Page Generation in Jenkins Jenkins 2.227 and earlier, LTS 2.204.5 and earlier served files uploaded as file parameters to a build without specifying appropriate `Content-Security-Policy HTTP` headers. This resulted in a stored cross-site scripting (XSS) vulnerability exploitable by users with permissions to build a job with file parameters.\n\nJenkins now sets `Content-Security-Policy` HTTP headers when serving files uploaded via a file parameter to the same value as used for files in workspaces and archived artifacts not served using the Resource Root URL.\n\nThe system property `hudson.model.DirectoryBrowserSupport.CSP` can be set to override the value of `Content-Security-Policy` headers sent when serving these files. This is the same system property used for files in workspaces and archived artifacts unless those are served via the [Resource Root URL](https://www.jenkins.io/doc/upgrade-guide/2.204/#resource-domain-support) and works the same way for file parameters. See [Configuring Content Security Policy](https://www.jenkins.io/doc/book/security/configuring-content-security-policy) to learn more.\n\nEven when Jenkins is configured to serve files in workspaces and archived artifacts using the Resource Root URL (introduced in Jenkins 2.200), file parameters are not, and therefore still subject to `Content-Security-Policy` restrictions.	There are no reported fixed by versions.
VCID-znwy-pe3s-x3ay Aliases: CVE-2020-2163 GHSA-2xcm-h7vv-g8m9	jenkins: improperly processes HTML content of list leads to XSS	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-9c49-hb3u-n7dq
Aliases:
CVE-2020-2160
GHSA-c735-g9f2-2mvp

Cross-Site Request Forgery in Jenkins An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Implementations of that extension point received a different representation of the URL path than the Stapler web framework uses to dispatch requests in Jenkins 2.227 and earlier, LTS 2.204.5 and earlier. This discrepancy allowed attackers to craft URLs that would bypass the CSRF protection of any target URL. Jenkins now uses the same representation of the URL path to decide whether CSRF protection is needed for a given URL as the Stapler web framework uses. In case of problems, administrators can disable this security fix by setting the system property `hudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO` to `true`. As an additional safeguard, semicolon (`;`) characters in the path part of a URL are now banned by default. Administrators can disable this protection by setting the system property `jenkins.security.SuspiciousRequestFilter.allowSemicolonsInPath` to `true`.

There are no reported fixed by versions.

VCID-np2j-5nvn-3fcv
Aliases:
CVE-2020-2161
GHSA-g8pg-qrvm-wgh2

jenkins: XSS in job configuration pages

There are no reported fixed by versions.

VCID-ttg3-j174-8yev
Aliases:
CVE-2020-2162
GHSA-crg2-6xv3-qg5f

Improper Neutralization of Input During Web Page Generation in Jenkins Jenkins 2.227 and earlier, LTS 2.204.5 and earlier served files uploaded as file parameters to a build without specifying appropriate `Content-Security-Policy HTTP` headers. This resulted in a stored cross-site scripting (XSS) vulnerability exploitable by users with permissions to build a job with file parameters.\n\nJenkins now sets `Content-Security-Policy` HTTP headers when serving files uploaded via a file parameter to the same value as used for files in workspaces and archived artifacts not served using the Resource Root URL.\n\nThe system property `hudson.model.DirectoryBrowserSupport.CSP` can be set to override the value of `Content-Security-Policy` headers sent when serving these files. This is the same system property used for files in workspaces and archived artifacts unless those are served via the [Resource Root URL](https://www.jenkins.io/doc/upgrade-guide/2.204/#resource-domain-support) and works the same way for file parameters. See [Configuring Content Security Policy](https://www.jenkins.io/doc/book/security/configuring-content-security-policy) to learn more.\n\nEven when Jenkins is configured to serve files in workspaces and archived artifacts using the Resource Root URL (introduced in Jenkins 2.200), file parameters are not, and therefore still subject to `Content-Security-Policy` restrictions.

There are no reported fixed by versions.

VCID-znwy-pe3s-x3ay
Aliases:
CVE-2020-2163
GHSA-2xcm-h7vv-g8m9

jenkins: improperly processes HTML content of list leads to XSS

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T14:09:30.335674+00:00	RedHat Importer	Affected by	VCID-ttg3-j174-8yev	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2162.json	38.0.0
2026-04-01T14:09:29.953358+00:00	RedHat Importer	Affected by	VCID-np2j-5nvn-3fcv	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2161.json	38.0.0
2026-04-01T14:09:29.551073+00:00	RedHat Importer	Affected by	VCID-9c49-hb3u-n7dq	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2160.json	38.0.0
2026-04-01T14:09:28.999380+00:00	RedHat Importer	Affected by	VCID-znwy-pe3s-x3ay	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2163.json	38.0.0