CVE-2020-2194: Stored XSS vulnerability in Jenkins ECharts API Plugin
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.32165%
CWE
Published
5/24/2022
Updated
1/29/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
io.jenkins.plugins:echarts-api | maven | < 4.7.0-4 | 4.7.0-4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unescaped build display names in the ECharts trend chart. Jenkins plugins typically use Jelly views (${...} syntax) or Java-based data preparation to render UI elements. The lack of escaping in the display name field (fixed in 4.7.0-4) implies the vulnerable function(s)
directly injects the raw display name into the chart's rendering logic without sanitization. While exact file paths aren't provided, the pattern matches Jenkins plugin XSS vulnerabilities where user-controlled data flows into UI components without proper escaping.