Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description, that is displayed on item creation.\n\nThis results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.\n\nJenkins 2.252, LTS 2.235.4 escapes the project naming strategy description.

Affected Packages

Maven org.jenkins-ci.main:jenkins-core

Affected versions: 0 (fixed in 2.235.4)

Maven org.jenkins-ci.main:jenkins-core

Affected versions: 2.236 (fixed in 2.252)

Related CVEs

CVE-2020-2230

Key Information

GHSA ID

GHSA-9g4m-ffx6-c29g

Published

May 24, 2022 5:25 PM

Last Modified

December 20, 2022 6:52 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.main:jenkins-core

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 24, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.