RapidDeploy Plugin 4.2 and earlier does not escape package names in its displayed table of packages obtained from a remote server. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure jobs.

RapidDeploy Plugin 4.2.1 escapes package names.

Affected Packages

Maven org.jenkins-ci.plugins:rapiddeploy-jenkins

Affected versions: 0 (fixed in 4.2.1)

Related CVEs

CVE-2020-2170

Key Information

GHSA ID

GHSA-f4gq-7hvf-fjm3

Published

May 24, 2022 5:12 PM

Last Modified

December 22, 2022 2:04 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:rapiddeploy-jenkins

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 5, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.