Miggo Logo

CVE-2020-2201: Stored XSS vulnerability in Jenkins Sonargraph Integration Plugin

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.26516%
Published
5/24/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:sonargraph-integrationmaven<= 3.0.03.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper output encoding in the Log file field's form validation. Jenkins plugins typically implement form validation methods using 'doCheck[FieldName]' patterns. The advisory specifically mentions the log file path validation as the vulnerable component, and the fix in 3.0.1 adds escaping to this error message. The function name follows Jenkins plugin conventions, and the location matches standard Maven project structure for Jenkins plugins.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Son*r*r*p* Int**r*tion Plu*in *.*.* *n* **rli*r *o*s not *s**p* t** *il* p*t* *or t** Lo* *il* *i*l* *orm v*li**tion. T*is r*sults in * stor** *ross-sit* s*riptin* (XSS) vuln*r**ility t**t **n ** *xploit** *y us*rs wit* Jo*/*on*i*ur* p*rmission. So

Reasoning

T** vuln*r**ility st*ms *rom improp*r output *n*o*in* in t** Lo* *il* *i*l*'s *orm v*li**tion. J*nkins plu*ins typi**lly impl*m*nt *orm v*li**tion m*t*o*s usin* '*o****k[*i*l*N*m*]' p*tt*rns. T** **visory sp**i*i**lly m*ntions t** lo* *il* p*t* v*li*