Moderate severityNVD Advisory· Published Mar 9, 2020· Updated Aug 4, 2024

CVE-2020-2136

Description

Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Git Plugin 4.2.0 and earlier has a stored XSS vulnerability due to unsanitized error messages in the TFS repository URL validation.

Vulnerability

Overview Jenkins Git Plugin versions 4.2.0 and earlier contain a stored cross-site scripting (XSS) vulnerability in the form validation for the Microsoft Team Foundation Server (TFS) repository URL field. The plugin does not escape user-provided input when constructing error messages, allowing an attacker to inject arbitrary HTML or JavaScript [1][3].

Exploitation

Prerequisites To exploit this vulnerability, an attacker must have Job/Configure permission in Jenkins. When the plugin validates a TFS repository URL and encounters an error, the unsanitized input is rendered as part of the error message. This stored XSS vector persists across sessions, affecting any user who views the configuration page or the validation error [1][2].

Impact

A successful exploit allows the attacker to execute arbitrary script code in the context of the victim's browser session within Jenkins. This could lead to credential theft, session hijacking, or further manipulation of Jenkins jobs and configurations without proper authorization [1].

Mitigation

The vulnerability is fixed in Git Plugin version 4.2.1, released on March 9, 2020. The fix applies hudson.Util.escape() to the error message, ensuring proper encoding of HTML entities [1][4]. Users should upgrade to version 4.2.1 or later. No workarounds are listed in the advisory.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:gitMaven	< 4.2.1	4.2.1

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/git
Range: < 4.2.1
Jenkins project/Jenkins Git Pluginv5
Range: unspecified

Patches

f581998be38c

[SECURITY-1723]

https://github.com/jenkinsci/git-pluginFrancisco Javier Fernandez GonzalezMar 3, 2020via ghsa

commit

2 files changed · +50 −1

src/main/java/hudson/plugins/git/browser/TFS2013GitRepositoryBrowser.java+2 −1 modified

@@ -1,6 +1,7 @@
 package hudson.plugins.git.browser;
 
 import hudson.Extension;
+import hudson.Util;
 import hudson.model.AbstractProject;
 import hudson.model.Descriptor;
 import hudson.plugins.git.GitChangeSet;
@@ -123,7 +124,7 @@ public FormValidation doCheckRepoUrl(@QueryParameter(fixEmpty = true) String val
                 GitSCM scm = (GitSCM) project.getScm();
                 RemoteConfig remote = scm.getRepositoryByName(value);
                 if (remote == null)
-                    return FormValidation.errorWithMarkup("There is no remote with the name <code>" + value + "</code>");
+                    return FormValidation.errorWithMarkup("There is no remote with the name <code>" + Util.escape(value) + "</code>");
                 
                 value = remote.getURIs().get(0).toString();
             }

src/test/java/hudson/plugins/git/browser/TFS2013GitRepositoryBrowserXSSTest.java+48 −0 added

@@ -0,0 +1,48 @@
+package hudson.plugins.git.browser;
+
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import hudson.model.FreeStyleProject;
+import hudson.plugins.git.GitSCM;
+import hudson.plugins.git.SubmoduleConfig;
+import hudson.plugins.git.UserRemoteConfig;
+import hudson.plugins.git.extensions.GitSCMExtension;
+import org.jenkinsci.plugins.gitclient.JGitTool;
+import org.junit.Assert;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.Issue;
+import org.jvnet.hudson.test.JenkinsRule;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.concurrent.atomic.AtomicBoolean;
+
+public class TFS2013GitRepositoryBrowserXSSTest {
+
+    @Rule
+    public final JenkinsRule rule = new JenkinsRule();
+
+    @Test
+    @Issue("SECURITY-1723")
+    public void testXSS() throws Exception {
+        // setup scm
+        GitSCM scm = new GitSCM(
+                Collections.singletonList(new UserRemoteConfig("http://tfs/tfs/project/_git/repo", null, null, null)),
+                new ArrayList<>(),
+                false, Collections.<SubmoduleConfig>emptyList(),
+                null, JGitTool.MAGIC_EXENAME,
+                Collections.<GitSCMExtension>emptyList());
+        scm.setBrowser(new TFS2013GitRepositoryBrowser("<img src=x onerror=alert(232)>"));
+
+        FreeStyleProject p = rule.createFreeStyleProject();
+        p.setScm(scm);
+
+        AtomicBoolean xss = new AtomicBoolean(false);
+        JenkinsRule.WebClient wc = rule.createWebClient();
+        wc.setAlertHandler((page, s) -> {
+            xss.set(true);
+        });
+        HtmlPage page = wc.getPage(p, "configure");
+        Assert.assertFalse(xss.get());
+    }
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-6c7r-6p5m-cp82ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-2136ghsaADVISORY
www.openwall.com/lists/oss-security/2020/03/09/1ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/git-plugin/commit/f581998be38cfed8e080c672c4b7caa8b4a45979ghsaWEB
jenkins.io/security/advisory/2020-03-09/ghsax_refsource_CONFIRMWEB

News mentions

Jenkins Security Advisory 2020-03-09
Jenkins Security Advisories · Mar 9, 2020

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000