Miggo Logo
Miggo Vulnerability Database
CVE-2020-2221

CVE-2020-2221: Stored XSS vulnerability in Jenkins upstream cause

8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2221
GHSA ID
GHSA-g4j6-m3m3-crw8
EPSS Score
0.67956%
CWE
CWE-79
Published
5/24/2022
Updated
12/22/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven<= 2.235.12.235.2
org.jenkins-ci.main:jenkins-coremaven>= 2.236, <= 2.2442.245

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper escaping of the upstream job's display name in the build cause description. The commit diff shows removal of <j:out> tags in the Jelly template, which previously attempted to escape the entire message. However, the display name parameter (fullDisplayName) was not individually escaped when passed into the message format string. This allowed malicious HTML/JS in the display name to execute when the build cause was rendered. The added test cases explicitly validate() XSS prevention by injecting a <script> payload into the display name, confirming the vulnerable code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *.*** *n* **rli*r, LTS *.***.* *n* **rli*r *o*s not *s**p* t** upstr**m jo*'s *ispl*y n*m* s*own *s p*rt o* * *uil* **us*, r*sultin* in * stor** *ross-sit* s*riptin* vuln*r**ility. J*nkins *.***, LTS *.***.* *s**p*s t** jo* *ispl*y n*m*.

Reasoning

T** vuln*r**ility st*ms *rom improp*r *s**pin* o* t** upstr**m jo*'s *ispl*y n*m* in t** *uil* **us* **s*ription. T** *ommit *i** s*ows r*mov*l o* `<j:out>` t**s in t** J*lly t*mpl*t*, w*i** pr*viously *tt*mpt** to *s**p* t** *ntir* m*ss***. *ow*v*r,