{
  "threat_severity" : "Moderate",
  "public_date" : "2020-08-12T00:00:00Z",
  "bugzilla" : {
    "description" : "jenkins: stored XSS vulnerability in project naming strategy",
    "id" : "1875232",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1875232"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.", "A flaw was found in Jenkins in versions prior to 2.251 and LTS 2.235.3. The project naming strategy description, displayed on item creation, is not properly escaped. This can result in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permissions. The highest threat from this vulnerability is to data confidentiality and integrity." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "release_date" : "2020-10-22T00:00:00Z",
    "advisory" : "RHSA-2020:4223",
    "cpe" : "cpe:/a:redhat:openshift:3.11::el7",
    "package" : "jenkins-0:2.235.5.1600415953-1.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.3",
    "release_date" : "2020-09-23T00:00:00Z",
    "advisory" : "RHSA-2020:3808",
    "cpe" : "cpe:/a:redhat:openshift:4.3::el7",
    "package" : "jenkins-0:2.235.5.1600415514-1.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.4",
    "release_date" : "2020-10-13T00:00:00Z",
    "advisory" : "RHSA-2020:4220",
    "cpe" : "cpe:/a:redhat:openshift:4.4::el7",
    "package" : "openshift4/ose-jenkins:v4.4.0-202009260441.p0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.5",
    "release_date" : "2020-09-30T00:00:00Z",
    "advisory" : "RHSA-2020:3841",
    "cpe" : "cpe:/a:redhat:openshift:4.5::el7",
    "package" : "jenkins-0:2.235.5.1600414805-1.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "jenkins",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-2230\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-2230\nhttps://jenkins.io/security/advisory/2020-08-12/#SECURITY-1957" ],
  "name" : "CVE-2020-2230",
  "csaw" : false
}