Vulnerability in Jenkins Project Gitlab Hook Plugin
CVE-2020-2096
Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.
EPSS: 0.927 (99.8th percentile) — read the EPSS interpretation.
Affected products
- Jenkins Project Gitlab Hook Plugin — versions unspecified, next of 1.4.2
Public proof-of-concept exploits
References
- jenkins.io/security/advisory/2020-01-15/ (x_refsource_CONFIRM)
- [oss-security] 20200115 Multiple vulnerabilities in Jenkins plugins (mailing-list, x_refsource_MLIST)
- packetstormsecurity.com/files/155967/Jenkins-Gitlab-Hook-1.4.2-Cross-Site-Scrip… (x_refsource_MISC)
Frequently asked questions
- What is CVE-2020-2096?
- CVE-2020-2096 is a vulnerability in Jenkins Project Gitlab Hook Plugin. Published 2020-01-15.
- Is CVE-2020-2096 known to be exploited?
- 14 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.