Miggo Logo
Miggo Vulnerability Database
CVE-2020-2194

CVE-2020-2194: Stored XSS vulnerability in Jenkins ECharts API Plugin

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2194
GHSA ID
GHSA-q397-w28f-jx97
EPSS Score
0.32165%
CWE
CWE-79
Published
5/24/2022
Updated
1/29/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.jenkins.plugins:echarts-apimaven< 4.7.0-44.7.0-4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped build display names in the ECharts trend chart. Jenkins plugins typically use Jelly views (${...} syntax) or Java-based data preparation to render UI elements. The lack of escaping in the display name field (fixed in 4.7.0-4) implies the vulnerable function(s) directly injects the raw display name into the chart's rendering logic without sanitization. While exact file paths aren't provided, the pattern matches Jenkins plugin XSS vulnerabilities where user-controlled data flows into UI components without proper escaping.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

****rts *PI Plu*in *.*.*-* *n* **rli*r *o*s not *s**p* t** *ispl*y n*m* o* t** *uil*s in t** tr*n* ***rt. T*is r*sults in * stor** *ross-sit* s*riptin* (XSS) vuln*r**ility t**t **n ** *xploit** *y us*rs wit* Run/Up**t* p*rmission. ****rts *PI Plu*i

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** *uil* *ispl*y n*m*s in t** ****rts tr*n* ***rt. J*nkins plu*ins typi**lly us* J*lly vi*ws (${...} synt*x) or J*v*-**s** **t* pr*p*r*tion to r*n**r UI *l*m*nts. T** l**k o* *s**pin* in t** *ispl*y n*m* *i*l* (*ix