CVE-2020-2140
published 2020-03-09CVE-2020-2140: Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site…
PriorityP354medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
75.98%
99.5th percentile
Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | audit_trail | <= 3.2 | — |
| jenkins | audit_trail_plugin | — | — |
| jenkins | backlog_plugin | — | — |
| jenkins | cobertura_plugin | — | — |
| jenkins | credentials_plugin | — | — |
| jenkins | cryptomove_plugin | — | — |
| jenkins | deployhub_plugin | — | — |
| jenkins | git_plugin | — | — |
| jenkins | literate_plugin | — | — |
| jenkins | logstash_plugin | — | — |
| jenkins | mac_cloud_host_launched_by_the_plugin | — | — |
| jenkins | mac_plugin | — | — |
| jenkins | openshift_deployer_plugin | — | — |
| jenkins | p4_plugin | — | — |
| jenkins | quality_gates_plugin | — | — |
| jenkins | repository_connector_plugin | — | — |
| jenkins | rundeck_plugin | — | — |
| jenkins | sandbox_protection_in_script_security_plugin | — | — |
| jenkins | script_security_plugin | — | — |
| jenkins | skytap_cloud_ci_plugin | — | — |
| jenkins | sonar_quality_gates_plugin | — | — |
| jenkins | subversion_release_manager_plugin | — | — |
| jenkins | timestamper_plugin | — | — |
| jenkins | yaml_input_files_to_literate_plugin | — | — |
| jenkins | zephyr_enterprise_test_management_plugin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Probe the AuditTrailPlugin regexCheck endpoint with an unescaped HTML payload (e.g. *j<h1>sample) via GET; a vulnerable instance returns HTTP 200 with Content-Type: text/html and reflects the injected tag in the response body. ↗
- →The vulnerable endpoint is /descriptorByName/AuditTrailPlugin/regexCheck (also reachable under /jenkins/descriptorByName/AuditTrailPlugin/regexCheck). Monitor GET requests to this path containing unencoded or URL-encoded HTML/JS in the `value` query parameter. ↗
- →Affected versions are Jenkins Audit Trail Plugin 3.2 and earlier; upgrade to 3.3 or later to remediate. ↗
- ·The exploit requires user interaction (UI:R) — a victim must be tricked into clicking a crafted link. The XSS fires in the context of the Jenkins UI, so impact is scoped to authenticated Jenkins sessions. ↗
- ·No authentication (PR:N) is required to reach the regexCheck endpoint, meaning the reflected XSS payload URL can be crafted and distributed by an unauthenticated attacker. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XSS vulnerability in Jenkins Audit Trail Plugin
ghsa·2022-05-24
CVE-2020-2140 [MEDIUM] CWE-79 XSS vulnerability in Jenkins Audit Trail Plugin
XSS vulnerability in Jenkins Audit Trail Plugin
Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability. Audit Trail Plugin 3.3 escapes the affected part of the error message.
OSV
XSS vulnerability in Jenkins Audit Trail Plugin
osv·2022-05-24
CVE-2020-2140 [MEDIUM] XSS vulnerability in Jenkins Audit Trail Plugin
XSS vulnerability in Jenkins Audit Trail Plugin
Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability. Audit Trail Plugin 3.3 escapes the affected part of the error message.
Jenkins
Jenkins Security Advisory 2020-03-09
vendor_jenkins·2020-03-09·CVSS 8.8
CVE-2020-2134 [HIGH] Jenkins Security Advisory 2020-03-09
Title: Jenkins Security Advisory 2020-03-09
Jenkins Security Advisory 2020-03-09
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Audit Trail
Plugin
Backlog
Plugin
Cobertura
Plugin
CryptoMove
Plugin
DeployHub
Plugin
Git
Plugin
Literate
Plugin
Logstash
Plugin
Mac
Plugin
OpenShift Deploy
No detection rules found.
Nuclei
Jenkin Audit Trail <=3.2 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2020-2140 [MEDIUM] Jenkin Audit Trail <=3.2 - Cross-Site Scripting
Jenkin Audit Trail =3.3) which includes a fix for this vulnerability.
reference:
- https://www.jenkins.io/security/advisory/2020-03-09/
- https://nvd.nist.gov/vuln/detail/CVE-2020-2140
- https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1722
- http://www.openwall.com/lists/oss-security/2020/03/09/1
- https://github.com/merlinepedra25/nuclei-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2020-2140
cwe-id: CWE-79
epss-score: 0.44807
epss-percentile: 0.97587
cpe: cpe:2.3:a:jenkins:audit_trail:*:*:*:*:*:jenkins:*:*
metadata:
max-request: 2
vendor: jenkins
product: audit_trail
framework: jenkins
tags: cve,cve2020,jenkins,xss,plugin,vuln
http:
- method: GET
path:
- "{{BaseURL}}/descriptorByName/AuditTrailPlugin/regexCheck
No writeups or analysis indexed.
2020-03-09
Published