Jenkins Locked Files Report Plugin 1.6 and earlier does not escape locked files' names in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Affected Packages

Maven org.jvnet.hudson.plugins:locked-files-report

Affected versions: 0 (last affected: 1.6)

Related CVEs

CVE-2020-2271

Key Information

GHSA ID

GHSA-9rhc-vjjp-gccw

Published

May 24, 2022 5:28 PM

Last Modified

December 29, 2022 1:45 AM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.jvnet.hudson.plugins:locked-files-report

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 27, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.