cbcvebase.
CVE-2020-2096
published 2020-01-15

CVE-2020-2096: Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.

PriorityP182medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
89.43%
99.8th percentile
Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.

Affected

8 ranges
VendorProductVersion rangeFixed in
gitlabgitlab
jenkinsamazon_ec2_plugin
jenkinsgitlab_hook<= 1.4.2
jenkinshealth_advisor_by_cloudbees_plugin
jenkinsredgate_sql_change_automation_plugin
jenkinsrobot_framework_plugin
jenkinssounds_plugin
jenkins_projectjenkins_gitlab_hook_pluginunspecified – 1.4.2

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/gitlab/build_now%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
urlhttp://JENKINS_IP/gitlab/build_now%3Csvg/onload=alert(document.domain)%3E
path/gitlab/build_now
  • Detect reflected XSS probe in HTTP GET requests targeting the /gitlab/build_now endpoint; look for URL-encoded script/SVG injection payloads in the request path.
  • Match HTTP 200 responses with Content-Type: text/html that reflect 'alert(document.domain)' in the response body — confirms unescaped project name reflection from the build_now endpoint.
  • The vulnerability is in Jenkins Gitlab Hook Plugin versions 1.4.2 and earlier; flag any Jenkins instance exposing this plugin version via the /gitlab/build_now path.
  • ·The XSS is reflected via the project name parameter appended to the build_now endpoint path — the injection point is the URL path itself, not a query parameter or POST body.
  • ·Two distinct XSS payload variants are observed in the wild: a </script><script>alert() form and an <svg/onload=alert()> form — detection rules should account for both URL-encoded patterns.
  • ·EPSS score of 0.93762 (99.853rd percentile) indicates very high exploitation probability; this endpoint should be treated as actively targeted.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.