Miggo Logo

CVE-2020-2225: Stored XSS vulnerability in multiple axis builds tooltips in Jenkins Matrix Project Plugin

8

CVSS Score
3.1

Basic Information

EPSS Score
0.50859%
Published
5/24/2022
Updated
12/21/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:matrix-projectmaven<= 1.161.17

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped rendering of user-controlled axis names in Jelly template tooltips. The commit diff shows the addition of 'h.xmlEscape()' to sanitize 'p.tooltip', 'x.name', and 'y.name' in the tooltip attributes. Prior to the patch, these values were injected raw into the HTML, making the tooltip rendering logic the vulnerable component. The Jelly templates directly output these values without escaping, which is the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*trix Proj**t Plu*in *.** *n* **rli*r *o*s not *s**p* t** *xis n*m*s s*own in tooltips on t** ov*rvi*w p*** o* *uil*s wit* multipl* *x*s. T*is r*sults in * stor** *ross-sit* s*riptin* (XSS) vuln*r**ility *xploit**l* *y us*rs wit* Jo*/*on*i*ur* p*rmi

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** r*n**rin* o* us*r-*ontroll** *xis n*m*s in J*lly t*mpl*t* tooltips. T** *ommit *i** s*ows t** ***ition o* `'*.xml*s**p*()'` to s*nitiz* `'p.tooltip'`, `'x.n*m*'`, *n* `'y.n*m*'` in t** tooltip *ttri*ut*s. Prior