cbcvebase.
CVE-2020-2140
published 2020-03-09

CVE-2020-2140: Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site…

PriorityP354medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
75.98%
99.5th percentile
Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
jenkinsaudit_trail<= 3.2
jenkinsaudit_trail_plugin
jenkinsbacklog_plugin
jenkinscobertura_plugin
jenkinscredentials_plugin
jenkinscryptomove_plugin
jenkinsdeployhub_plugin
jenkinsgit_plugin
jenkinsliterate_plugin
jenkinslogstash_plugin
jenkinsmac_cloud_host_launched_by_the_plugin
jenkinsmac_plugin
jenkinsopenshift_deployer_plugin
jenkinsp4_plugin
jenkinsquality_gates_plugin
jenkinsrepository_connector_plugin
jenkinsrundeck_plugin
jenkinssandbox_protection_in_script_security_plugin
jenkinsscript_security_plugin
jenkinsskytap_cloud_ci_plugin
jenkinssonar_quality_gates_plugin
jenkinssubversion_release_manager_plugin
jenkinstimestamper_plugin
jenkinsyaml_input_files_to_literate_plugin
jenkinszephyr_enterprise_test_management_plugin

Detection & IOCsextracted from sources · hover to see the quote

url/descriptorByName/AuditTrailPlugin/regexCheck?value=*j%3Ch1%3Esample
url/jenkins/descriptorByName/AuditTrailPlugin/regexCheck?value=*j%3Ch1%3Esample
  • Probe the AuditTrailPlugin regexCheck endpoint with an unescaped HTML payload (e.g. *j<h1>sample) via GET; a vulnerable instance returns HTTP 200 with Content-Type: text/html and reflects the injected tag in the response body.
  • The vulnerable endpoint is /descriptorByName/AuditTrailPlugin/regexCheck (also reachable under /jenkins/descriptorByName/AuditTrailPlugin/regexCheck). Monitor GET requests to this path containing unencoded or URL-encoded HTML/JS in the `value` query parameter.
  • Affected versions are Jenkins Audit Trail Plugin 3.2 and earlier; upgrade to 3.3 or later to remediate.
  • ·The exploit requires user interaction (UI:R) — a victim must be tricked into clicking a crafted link. The XSS fires in the context of the Jenkins UI, so impact is scoped to authenticated Jenkins sessions.
  • ·No authentication (PR:N) is required to reach the regexCheck endpoint, meaning the reflected XSS payload URL can be crafted and distributed by an unauthenticated attacker.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.