Miggo Logo
Miggo Vulnerability Database
CVE-2020-2316

CVE-2020-2316: Stored XSS vulnerability in Jenkins Static Analysis Utilities Plugin

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2316
GHSA ID
GHSA-fg6g-52rg-vr9q
EPSS Score
0.47851%
CWE
CWE-79
Published
5/24/2022
Updated
10/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jvnet.hudson.plugins:analysis-coremaven<= 1.96

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly states that annotation messages in tooltips are not escaped. In Jenkins plugin architecture, tooltip rendering for static analysis annotations would typically be handled by methods in classes like AbstractAnnotationResult. The getTooltip() method (or similar) would be responsible for returning the raw message value without applying proper output encoding. This matches the CWE-79 pattern of improper neutralization during web page generation. The confidence is high because the vulnerability pattern directly maps to missing escaping in UI rendering functions for a core plugin component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins St*ti* *n*lysis Utiliti*s Plu*in *.** *n* **rli*r *o*s not *s**p* t** *nnot*tion m*ss*** in tooltips, r*sultin* in * stor** *ross-sit* s*riptin* (XSS) vuln*r**ility *xploit**l* *y *tt**k*rs wit* Jo*/*on*i*ur* p*rmission.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly st*t*s t**t *nnot*tion m*ss***s in tooltips *r* not *s**p**. In `J*nkins` plu*in *r**it**tur*, tooltip r*n**rin* *or st*ti* *n*lysis *nnot*tions woul* typi**lly ** **n*l** *y m*t*o*s in *l*ss*s lik* `**str**t*