8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-2224

CVE-2020-2224: Stored XSS vulnerability in single axis builds tooltips in Jenkins Matrix Project Plugin

Matrix Project Plugin 1.16 and earlier does not escape node names shown in tooltips on the overview page of builds with a single axis. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Agent/Configure permission.

Matrix Project Plugin 1.17 escapes the node names shown in these tooltips.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2020-2224

CVE-2020-2224:

8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:matrix-project	maven	<= 1.16	1.17

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unescaped Jelly template variables in tooltip attributes. The commit diff shows three critical changes where h.xmlEscape() was added to sanitize user-controlled values:

In ajaxMatrix.jelly, the ${p.tooltip} variable (containing node names) was rendered without escaping in an <img> tooltip.
In matrix.jelly, both ${x.name} (axis names) and ${y.name} (axis names) were rendered unescaped in <td> tooltips. These variables are controlled by users with Agent/Configure permissions, and the lack of escaping allowed HTML/JS injection. The high confidence comes from the direct correlation between the unescaped variables in the patch and the described XSS vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2020-2224: Stored XSS vulnerability in single axis builds tooltips in Jenkins Matrix Project Plugin

CVE-2020-2224:

8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2020-2224: Stored XSS vulnerability in single axis builds tooltips in Jenkins Matrix Project Plugin

8

8

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI