Moderate severityNVD Advisory· Published Apr 7, 2020· Updated Aug 4, 2024

CVE-2020-2174

Description

Jenkins AWSEB Deployment Plugin 0.3.19 and earlier does not escape various values printed as part of form validation output, resulting in a reflected cross-site scripting vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS in Jenkins AWSEB Deployment Plugin due to improper escaping of form validation output.

Vulnerability

Jenkins AWSEB Deployment Plugin 0.3.19 and earlier fails to escape various values printed as part of form validation output [1][2]. This missing output encoding allows injection of arbitrary HTML and JavaScript into the plugin's validation responses.

Exploitation

An attacker can craft a malicious URL or form input that triggers a validation endpoint, causing the injected script to execute in the context of a victim's browser session [2]. The attack is reflected and requires user interaction, such as clicking on a crafted link, but does not require authentication to Jenkins [2].

Impact

Successful exploitation enables arbitrary JavaScript execution in the victim's browser, potentially leading to session hijacking, credential theft, or performing actions on behalf of the victim [2]. The vulnerability is classified as medium severity with a CVSS score of 6.1 [1].

Mitigation

The vulnerability is fixed in AWSEB Deployment Plugin version 0.3.20, which properly escapes values printed in form validation output [2][3]. Users should upgrade immediately. No workarounds are available beyond updating the plugin.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
br.com.ingenieux.jenkins.plugins:awseb-deployment-pluginMaven	< 0.3.20	0.3.20

Affected products

Jenkins Project/AWSEB Deployment Pluginllm-create
Range: <=0.3.19
ghsa-coords
pkg:maven/br.com.ingenieux.jenkins.plugins/awseb-deployment-plugin
Range: < 0.3.20
Jenkins Project/DeployHub Plugincpe-rescue
Range: unspecified

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-f82v-pg74-6686ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-2174ghsaADVISORY
www.openwall.com/lists/oss-security/2020/04/07/3ghsamailing-listx_refsource_MLISTWEB
jenkins.io/security/advisory/2020-04-07/ghsax_refsource_CONFIRMWEB

News mentions

Jenkins Security Advisory 2020-04-07
Jenkins Security Advisories · Apr 7, 2020

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000