[org.jenkins-ci.plugins:pipeline-maven] Stored XSS vulnerability in Pipeline Maven Integration Plugin via unescaped display name

Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job’s display name shown as part of a build cause.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Pipeline Maven Integration Plugin 3.9.3 escapes upstream job names in build causes.

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-2256
• https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1976
• http://www.openwall.com/lists/oss-security/2020/09/16/3
• https://github.com/advisories/GHSA-hq2h-9mc3-h6w2