CVE-2020-2190
Description
Jenkins Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page, resulting in a stored cross-site scripting vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Script Security Plugin ≤1.72 has a stored XSS vulnerability via unescaped classpath entries on the In-process Script Approval page.
Vulnerability
Overview
Jenkins Script Security Plugin version 1.72 and earlier does not properly escape pending or approved classpath entries displayed on the In-process Script Approval page. The plugin rendered classpath entries using raw string interpolation, which allowed an attacker to inject arbitrary HTML and JavaScript into the page [1][2]. This is a stored cross-site scripting (XSS) vulnerability because the injected payload remains in the page and executes when other users view the approval list.
Attack
Vector
A user with the ability to configure sandboxed scripts can supply a malicious classpath entry containing JavaScript code. When a Jenkins administrator or another user with approval permissions visits the In-process Script Approval page, the injected script executes in the context of the user's session. No additional authentication is required beyond the ability to submit a sandboxed script [1][3].
Impact
Successful exploitation allows the attacker to perform actions on behalf of the victim, such as modifying Jenkins configuration, executing arbitrary jobs, or exfiltrating sensitive credentials. The CVSS v3.1 base score is 6.1 (Medium), reflecting the need for a user with script approval permissions to view the page [2].
Mitigation
Script Security Plugin version 1.73 fixes the vulnerability by escaping classpath entries using safe DOM manipulation methods (textContent) instead of HTML string interpolation [4]. Users should upgrade to version 1.73 or later immediately. No workarounds are available for earlier versions [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:script-securityMaven | < 1.73 | 1.73 |
Affected products
2- Jenkins project/Jenkins Script Security Pluginv5Range: unspecified
Patches
199e6ac0df5fe[SECURITY-1866] Escape classpath entries in script approvals to avoid XSS
2 files changed · +28 −2
src/main/resources/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval/index.jelly+6 −2 modified@@ -106,7 +106,9 @@ THE SOFTWARE. }); block.insert(approveButton); block.insert(denyButton); - block.insert("<code title='" + e.hash + "'>" + e.path + "</code>"); + var code = new Element('code', { 'title': e.hash }); + code.textContent = e.path; + block.insert(code); $('pendingClasspathEntries').insert(block); }); @@ -140,7 +142,9 @@ THE SOFTWARE. } }); block.insert(deleteButton); - block.insert("<code title='" + e.hash + "'>" + e.path + "</code>"); + var code = new Element('code', { 'title': e.hash }); + code.textContent = e.path; + block.insert(code); $('approvedClasspathEntries').insert(block); });
src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApprovalTest.java+22 −0 modified@@ -48,6 +48,7 @@ import java.util.concurrent.atomic.AtomicLong; import java.util.logging.Level; +import static org.hamcrest.Matchers.nullValue; import static org.junit.Assert.assertThat; import static org.junit.Assert.assertEquals; import static org.junit.Assert.fail; @@ -114,6 +115,27 @@ public void malformedScriptApproval() throws Exception { assertThat(r.createWebClient().goTo("manage").getByXPath("//a[@href='scriptApproval']"), Matchers.empty()); } + @Issue("SECURITY-1866") + @Test public void classpathEntriesEscaped() throws Exception { + // Add pending classpath entry. + String hash = null; + try { + ScriptApproval.get().using(new ClasspathEntry("https://www.example.com/#value=Hack<img id='xss' src=x onerror=alert(123)>Hack")); + fail("Classpath should not already be approved"); + } catch (UnapprovedClasspathException e) { + hash = e.getHash(); + } + // Check for XSS in pending approvals. + JenkinsRule.WebClient wc = r.createWebClient(); + HtmlPage approvalPage = wc.goTo("scriptApproval"); + assertThat(approvalPage.getElementById("xss"), nullValue()); + // Approve classpath entry. + ScriptApproval.get().approveClasspathEntry(hash); + // Check for XSS in approved classpath entries. + HtmlPage approvedPage = wc.goTo("scriptApproval"); + assertThat(approvedPage.getElementById("xss"), nullValue()); + } + @Test public void clearMethodsLifeCycle() throws Exception { ScriptApproval sa = ScriptApproval.get(); assertEquals(0, sa.getApprovedSignatures().length);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-q87g-7mp5-765qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2190ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/06/03/3ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/script-security-plugin/commit/99e6ac0df5fe0f0cc6c2a695f7c1f845279bedbdghsaWEB
- jenkins.io/security/advisory/2020-06-03/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-06-03Jenkins Security Advisories · Jun 3, 2020