Miggo Logo

CVE-2020-2246: Stored XSS vulnerability in Jenkins Valgrind Plugin

8

CVSS Score
3.1

Basic Information

EPSS Score
0.46137%
Published
5/24/2022
Updated
1/29/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:valgrindmaven<= 0.28

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped Valgrind XML report content being rendered in Jenkins. The core issue would exist in functions responsible for parsing/processing XML reports and rendering their content. ValgrindPublisher#processReport is a logical entry point for report processing, and ValgrindResult#getReportDetails would handle data extraction for display. While no direct code is provided, Jenkins plugin conventions and the nature of stored XSS in report rendering strongly suggest these components. Confidence is high for ValgrindPublisher#processReport due to its role in report ingestion, and medium for ValgrindResult#getReportDetails due to typical data flow patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins V*l*rin* Plu*in *.** *n* **rli*r *o*s not *s**p* *ont*nt in V*l*rin* XML r*ports, r*sultin* in * stor** *ross-sit* s*riptin* (XSS) vuln*r**ility *xploit**l* *y *tt**k*rs **l* to *ontrol V*l*rin* XML r*port *ont*nts.

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** V*l*rin* XML r*port *ont*nt **in* r*n**r** in J*nkins. T** *or* issu* woul* *xist in *un*tions r*sponsi*l* *or p*rsin*/pro**ssin* XML r*ports *n* r*n**rin* t**ir *ont*nt. `V*l*rin*Pu*lis**r#pro**ssR*port` is * l