CVE-2020-2170
Description
Jenkins RapidDeploy Plugin 4.2 and earlier does not escape package names in the table of packages obtained from a remote server, resulting in a stored XSS vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins RapidDeploy Plugin 4.2 and earlier has a stored XSS vulnerability because it fails to escape package names from a remote server.
Vulnerability
Overview
CVE-2020-2170 is a stored cross-site scripting (XSS) vulnerability in the Jenkins RapidDeploy Plugin, versions 4.2 and earlier. The plugin retrieves a list of deployment packages from a remote RapidDeploy server and displays them in a table within the Jenkins web interface. The package names are not escaped before being rendered, allowing an attacker to inject malicious HTML or JavaScript code into the page [1][2].
Exploitation
Prerequisites
To exploit this vulnerability, an attacker must be able to control the package names on the remote RapidDeploy server that the Jenkins plugin connects to. This could be achieved by compromising the remote server, or by tricking the Jenkins administrator into configuring the plugin to connect to a malicious server. No additional authentication is required on the Jenkins side for the XSS to trigger when a user views the package table [1][3].
Impact
Successful exploitation results in stored XSS, meaning the injected script executes in the context of any Jenkins user who views the affected page. This can lead to session hijacking, credential theft, or arbitrary actions performed on behalf of the victim user within Jenkins, potentially compromising the entire Jenkins instance [1][2].
Mitigation
The vulnerability is fixed in RapidDeploy Plugin version 4.2.1. Users are strongly advised to upgrade to this version or later. No workarounds are available; the only remediation is to update the plugin [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:rapiddeploy-jenkinsMaven | < 4.2.1 | 4.2.1 |
Affected products
3- Range: <=4.2
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-f4gq-7hvf-fjm3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2170ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/03/25/2ghsamailing-listx_refsource_MLISTWEB
- jenkins.io/security/advisory/2020-03-25/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-03-25Jenkins Security Advisories · Mar 25, 2020