[org.jenkins-ci.main:jenkins-core] Stored XSS vulnerability in Jenkins console links

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the href attribute of links to downstream jobs displayed in the build console page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission.

Jenkins 2.245, LTS 2.235.2 escapes the href attribute of these links.

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-2223
• https://jenkins.io/security/advisory/2020-07-15/#SECURITY-1945
• http://www.openwall.com/lists/oss-security/2020/07/15/5
• https://github.com/advisories/GHSA-gfhj-524q-gcrm