Validating String Parameter Plugin 2.4 and earlier does not escape regular expressions in tooltips. Additionally, Validating String Parameter Plugin 2.4 does not escape parameter names and parameter descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Validating String Parameter Plugin 2.5 escapes regular expressions in tooltips and parameter names. Parameter descriptions are rendered using the configured markup formatter.

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-2257
• https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1935
• http://www.openwall.com/lists/oss-security/2020/09/16/3
• jenkinsci/validating-string-parameter-plugin@345a79d