-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.plugins:liquibase-runner | maven | <= 1.4.5 | 1.4.6 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from unescaped changeset content displayed on the build page. The commit diff shows a critical change in how exceptionMessage is rendered: replacing <j:out> (which typically escapes HTML) with direct ${} interpolation. In Jenkins Jelly, ${} auto-escapes by default, but the original use of <j:out> might have been redundant or misconfigured, leading to improper neutralization. The vulnerability likely existed because user-controlled changeset data (e.g., in exceptionMessage) was not escaped when injected into the DOM, allowing XSS. The patch removed <j:out>, aligning with proper escaping practices, confirming the prior code's vulnerability.