CVE-2020-2161: 
Java vulnerability analysis and mitigation

CVE-2020-2161 is a stored cross-site scripting (XSS) vulnerability discovered in Jenkins versions 2.227 and earlier, and LTS 2.204.5 and earlier. The vulnerability was disclosed on March 25, 2020, and affects the label expression validation functionality in job configuration pages (Jenkins Advisory, OSS Security).

The vulnerability exists because Jenkins does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages. The vulnerability has a CVSS v3.1 base score of 5.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires low attack complexity, requires low privileges, and needs user interaction to be exploited (NVD).

When successfully exploited, this vulnerability allows attackers to execute stored cross-site scripting attacks through node labels. The impact is limited to users who have Agent/Configure permissions and are able to define node labels, which can then be referenced in job configurations to restrict where a job can be run (Jenkins Advisory).

The vulnerability was fixed in Jenkins weekly version 2.228 and Jenkins LTS version 2.204.6 or 2.222.1. The fix ensures that Jenkins correctly escapes node labels that are shown in form validation on job configuration pages. Users are strongly advised to upgrade to these or later versions to address the vulnerability (Jenkins Advisory).