[org.jenkins-ci.plugins:timestamper] Stored XSS vulnerability in Jenkins Timestamper Plugin

Timestamper Plugin 1.11.1 and earlier does not escape or sanitize the HTML formatting used to display the timestamps in console output for builds.

This results in a stored cross-site scripting vulnerability that can be exploited by users with Overall/Administer permission.

Timestamper Plugin 1.11.2 sanitizes the HTML formatting for timestamps and only allows basic, safe HTML formatting.

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-2137
• https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1784
• http://www.openwall.com/lists/oss-security/2020/03/09/1
• https://github.com/advisories/GHSA-6xxf-rwv4-mrjm