Miggo Logo
Miggo Vulnerability Database
CVE-2020-2244

CVE-2020-2244: XSS vulnerability in Jenkins Build Failure Analyzer Plugin

8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2244
GHSA ID
GHSA-p5jh-8rxp-wqjj
EPSS Score
0.39196%
CWE
CWE-79
Published
5/24/2022
Updated
12/7/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzermaven<= 1.27.01.27.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows a critical change from FormValidation.okWithMarkup() to FormValidation.ok(). The okWithMarkup method in Jenkins API renders input as HTML without escaping, while ok() properly escapes content. This matches the vulnerability description about missing escaping in form validation responses. The patched version explicitly replaces this vulnerable method call, confirming its role in the XSS vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *uil* **ilur* *n*lyz*r Plu*in *.**.* *n* **rli*r *o*s not *s**p* m*t**in* t*xt in * *orm v*li**tion r*spons*, r*sultin* in * *ross-sit* s*riptin* (XSS) vuln*r**ility *xploit**l* *y *tt**k*rs **l* to provi** *onsol* output *or *uil*s us** to t

Reasoning

T** *ommit *i** s*ows * *riti**l ***n** *rom `*ormV*li**tion.okWit*M*rkup()` to `*ormV*li**tion.ok()`. T** okWit*M*rkup m*t*o* in J*nkins *PI r*n**rs input *s *TML wit*out *s**pin*, w*il* `ok()` prop*rly *s**p*s *ont*nt. T*is m*t***s t** vuln*r**ilit