Miggo Logo
Miggo Vulnerability Database
CVE-2020-2271

CVE-2020-2271: Stored XSS vulnerability in Locked Files Report Plugin

8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2271
GHSA ID
GHSA-9rhc-vjjp-gccw
EPSS Score
0.46137%
CWE
CWE-79
Published
5/24/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jvnet.hudson.plugins:locked-files-reportmaven<= 1.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped output of user-controlled data (filenames) in HTML contexts. Jenkins plugins typically use Jelly templates for UI rendering, and the advisory specifically mentions tooltip XSS. The core issue would be in the template that displays locked files, where ${...} output (without escaping) is used instead of ${%...%} or explicit escaping methods. While exact line numbers aren't provided, the pattern matches Jenkins XSS vulnerabilities where dynamic content isn't properly sanitized in view templates.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Lo*k** *il*s R*port Plu*in *.* *n* **rli*r *o*s not *s**p* lo*k** *il*s' n*m*s in tooltips, r*sultin* in * stor** *ross-sit* s*riptin* (XSS) vuln*r**ility *xploit**l* *y *tt**k*rs wit* Jo*/*on*i*ur* p*rmission.

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** output o* us*r-*ontroll** **t* (*il*n*m*s) in *TML *ont*xts. J*nkins plu*ins typi**lly us* J*lly t*mpl*t*s *or UI r*n**rin*, *n* t** **visory sp**i*i**lly m*ntions tooltip XSS. T** *or* issu* woul* ** in t** t*m