{
  "threat_severity" : "Moderate",
  "public_date" : "2020-08-12T00:00:00Z",
  "bugzilla" : {
    "description" : "jenkins: user-specified tooltip values leads to stored cross-site scripting",
    "id" : "1874830",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1874830"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons, resulting in a stored cross-site scripting (XSS) vulnerability.", "A flaw was found in Jenkins in versions prior to 2.251 and LTS 2.235.3. Tooltip values, which are not properly escaped, can be contributed by plugins and use user-specified values. This results in a potential stored cross-site scripting (XSS) vulnerability. This highest threat from this vulnerability is to data confidentiality and integrity." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "release_date" : "2020-10-22T00:00:00Z",
    "advisory" : "RHSA-2020:4223",
    "cpe" : "cpe:/a:redhat:openshift:3.11::el7",
    "package" : "jenkins-0:2.235.5.1600415953-1.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.3",
    "release_date" : "2020-09-23T00:00:00Z",
    "advisory" : "RHSA-2020:3808",
    "cpe" : "cpe:/a:redhat:openshift:4.3::el7",
    "package" : "jenkins-0:2.235.5.1600415514-1.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.4",
    "release_date" : "2020-10-13T00:00:00Z",
    "advisory" : "RHSA-2020:4220",
    "cpe" : "cpe:/a:redhat:openshift:4.4::el7",
    "package" : "openshift4/ose-jenkins:v4.4.0-202009260441.p0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.5",
    "release_date" : "2020-09-30T00:00:00Z",
    "advisory" : "RHSA-2020:3841",
    "cpe" : "cpe:/a:redhat:openshift:4.5::el7",
    "package" : "jenkins-0:2.235.5.1600414805-1.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "jenkins",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-2229\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-2229\nhttps://jenkins.io/security/advisory/2020-08-12/#SECURITY-1955" ],
  "name" : "CVE-2020-2229",
  "csaw" : false
}