Miggo Logo

CVE-2020-2194: Stored XSS vulnerability in Jenkins ECharts API Plugin

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.32165%
Published
5/24/2022
Updated
1/29/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.jenkins.plugins:echarts-apimaven< 4.7.0-44.7.0-4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped build display names in the ECharts trend chart. Jenkins plugins typically use Jelly views (${...} syntax) or Java-based data preparation to render UI elements. The lack of escaping in the display name field (fixed in 4.7.0-4) implies the vulnerable function(s) directly injects the raw display name into the chart's rendering logic without sanitization. While exact file paths aren't provided, the pattern matches Jenkins plugin XSS vulnerabilities where user-controlled data flows into UI components without proper escaping.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

****rts *PI Plu*in *.*.*-* *n* **rli*r *o*s not *s**p* t** *ispl*y n*m* o* t** *uil*s in t** tr*n* ***rt. T*is r*sults in * stor** *ross-sit* s*riptin* (XSS) vuln*r**ility t**t **n ** *xploit** *y us*rs wit* Run/Up**t* p*rmission. ****rts *PI Plu*i

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** *uil* *ispl*y n*m*s in t** ****rts tr*n* ***rt. J*nkins plu*ins typi**lly us* J*lly vi*ws (${...} synt*x) or J*v*-**s** **t* pr*p*r*tion to r*n**r UI *l*m*nts. T** l**k o* *s**pin* in t** *ispl*y n*m* *i*l* (*ix