CVE-2020-2096
published 2020-01-15CVE-2020-2096: Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.
PriorityP182medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
89.43%
99.8th percentile
Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gitlab | gitlab | — | — |
| jenkins | amazon_ec2_plugin | — | — |
| jenkins | gitlab_hook | <= 1.4.2 | — |
| jenkins | health_advisor_by_cloudbees_plugin | — | — |
| jenkins | redgate_sql_change_automation_plugin | — | — |
| jenkins | robot_framework_plugin | — | — |
| jenkins | sounds_plugin | — | — |
| jenkins_project | jenkins_gitlab_hook_plugin | unspecified – 1.4.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/gitlab/build_now%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
- →Detect reflected XSS probe in HTTP GET requests targeting the /gitlab/build_now endpoint; look for URL-encoded script/SVG injection payloads in the request path.
- →Match HTTP 200 responses with Content-Type: text/html that reflect 'alert(document.domain)' in the response body — confirms unescaped project name reflection from the build_now endpoint.
- →The vulnerability is in Jenkins Gitlab Hook Plugin versions 1.4.2 and earlier; flag any Jenkins instance exposing this plugin version via the /gitlab/build_now path. ↗
- ·The XSS is reflected via the project name parameter appended to the build_now endpoint path — the injection point is the URL path itself, not a query parameter or POST body. ↗
- ·Two distinct XSS payload variants are observed in the wild: a </script><script>alert() form and an <svg/onload=alert()> form — detection rules should account for both URL-encoded patterns. ↗
- ·EPSS score of 0.93762 (99.853rd percentile) indicates very high exploitation probability; this endpoint should be treated as actively targeted.
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GitLab
CVE-2020-2096: Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.
vendor_gitlab·2020-01-15·CVSS 6.1
CVE-2020-2096 [MEDIUM] CWE-79 CVE-2020-2096: Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.
CVE-2020-2096: Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.
Jenkins
Jenkins Security Advisory 2020-01-15
vendor_jenkins·2020-01-15·CVSS 8.8
CVE-2020-2090 [HIGH] Jenkins Security Advisory 2020-01-15
Title: Jenkins Security Advisory 2020-01-15
Jenkins Security Advisory 2020-01-15
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Amazon EC2
Plugin
gitlab-hook
Plugin
Health Advisor by CloudBees
Plugin
Redgate SQL Change Automation
Plugin
Robot Framework
Plugin
Sounds
Plugin
Descriptions
CSRF vuln
OSV
Reflected XSS vulnerability in Jenkins gitlab-hook Plugin
osv·2022-05-24
CVE-2020-2096 [MEDIUM] Reflected XSS vulnerability in Jenkins gitlab-hook Plugin
Reflected XSS vulnerability in Jenkins gitlab-hook Plugin
Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the `build_now` endpoint, resulting in a reflected XSS vulnerability.
GHSA
Reflected XSS vulnerability in Jenkins gitlab-hook Plugin
ghsa·2022-05-24
CVE-2020-2096 [MEDIUM] CWE-79 Reflected XSS vulnerability in Jenkins gitlab-hook Plugin
Reflected XSS vulnerability in Jenkins gitlab-hook Plugin
Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the `build_now` endpoint, resulting in a reflected XSS vulnerability.
VulnCheck
Jenkins gitlab_hook Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2020·CVSS 6.1
CVE-2020-2096 [MEDIUM] Jenkins gitlab_hook Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Jenkins gitlab_hook Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.
Affected: Jenkins gitlab_hook
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2020-2096
No detection rules found.
Exploit-DB
Jenkins Gitlab Hook Plugin 1.4.2 - Reflected Cross-Site Scripting
exploitdb·2020-01-16·CVSS 6.1
CVE-2020-2096 [MEDIUM] Jenkins Gitlab Hook Plugin 1.4.2 - Reflected Cross-Site Scripting
Jenkins Gitlab Hook Plugin 1.4.2 - Reflected Cross-Site Scripting
---
# Exploit Title: Jenkins Gitlab Hook Plugin 1.4.2 - Reflected Cross-Site Scripting
# Exploit Author: Ai Ho
# Vendor Homepage : https://jenkins.io/
# Effective version : Gitlab Hook Plugin 1.4.2 and earlier
# References: https://jenkins.io/security/advisory/2020-01-15/
# CVE: CVE-2020-2096
# PoC:
http://JENKINS_IP/gitlab/build_now%3Csvg/onload=alert(document.domain)%3E
Nuclei
Jenkins Gitlab Hook <=1.4.2 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2020-2096 [MEDIUM] Jenkins Gitlab Hook <=1.4.2 - Cross-Site Scripting
Jenkins Gitlab Hook =1.4.3) to mitigate this vulnerability.
reference:
- https://jenkins.io/security/advisory/2020-01-15/#SECURITY-1683
- http://www.openwall.com/lists/oss-security/2020/01/15/1
- http://packetstormsecurity.com/files/155967/Jenkins-Gitlab-Hook-1.4.2-Cross-Site-Scripting.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-2096
- https://github.com/Elsfa7-110/kenzer-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2020-2096
cwe-id: CWE-79
epss-score: 0.93762
epss-percentile: 0.99853
cpe: cpe:2.3:a:jenkins:gitlab_hook:*:*:*:*:*:jenkins:*:*
metadata:
max-request: 1
vendor: jenkins
product: gitlab_hook
framework: jenkins
shodan-query:
- http.title:"GitLab"
- http.title:"gitlab"
fofa-query: title="gitlab"
google-query:
http://packetstormsecurity.com/files/155967/Jenkins-Gitlab-Hook-1.4.2-Cross-Site-Scripting.htmlhttp://www.openwall.com/lists/oss-security/2020/01/15/1https://jenkins.io/security/advisory/2020-01-15/#SECURITY-1683http://packetstormsecurity.com/files/155967/Jenkins-Gitlab-Hook-1.4.2-Cross-Site-Scripting.htmlhttp://www.openwall.com/lists/oss-security/2020/01/15/1https://jenkins.io/security/advisory/2020-01-15/#SECURITY-1683
2020-01-15
Published
Exploited in the wild