CVE-2020-2227
Description
Jenkins Deployer Framework Plugin 1.2 and earlier has a stored XSS vulnerability due to unescaped URLs on the build home page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Deployer Framework Plugin 1.2 and earlier has a stored XSS vulnerability due to unescaped URLs on the build home page.
Vulnerability
Jenkins Deployer Framework Plugin versions 1.2 and earlier do not properly escape URLs displayed on the build home page. This failure to sanitize output allows injection of arbitrary HTML and JavaScript, leading to a stored cross-site scripting (XSS) vulnerability [1][2].
Exploitation
An attacker with Job/Configure permission can craft a malicious URL that, when visited by other users, executes attacker-controlled scripts in the context of the victim's browser. The injected payload persists across page views, making it a stored XSS attack [2].
Impact
Successful exploitation enables the attacker to perform actions on behalf of the victim, such as accessing sensitive data, modifying job configurations, or escalating privileges within Jenkins. Because the attack is stored, it can affect all users who view the compromised build page [1][2].
Mitigation
The vulnerability is fixed in Deployer Framework Plugin version 1.3 [2][3]. Users are strongly advised to update immediately. No workarounds are available; upgrading is the only remedy.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:deployer-frameworkMaven | < 1.3 | 1.3 |
Affected products
2- Range: unspecified
Patches
18fa2e16bce85SECURITY-1915
2 files changed · +2 −2
src/main/resources/com/cloudbees/plugins/deployer/records/DeployedApplicationAction/summary.jelly+1 −1 modified@@ -27,7 +27,7 @@ <t:summary icon='${it.getImageOf("48x48")}'> <p> ${%DeployedTo(it.location.displayName)} - <a href="${it.location.locationURL}" tooltip="${it.location.description}">${it.location.locationURL}</a><br /> + <a href="${it.location.locationURL}" tooltip="${h.xmlEscape(it.location.description)}">${it.location.locationURL}</a><br /> <small>${it.location.description}</small> </p> </t:summary>
src/main/resources/com/cloudbees/plugins/deployer/records/DeployedApplicationFingerprintFacet/main.jelly+1 −1 modified@@ -29,7 +29,7 @@ <j:set var="icon" value='${it.location.getImageOf("16x16")}'/> <p> ${%DeployedTo(it.location.displayName)} - <a href="${it.location.locationURL}" tooltip="${it.location.description}"> + <a href="${it.location.locationURL}" tooltip="${h.xmlEscape(it.location.description)}"> <img src="${icon.startsWith('/') ? resURL+icon : imagesURL+'/16x16/'+icon}" width="16" height="16" alt="" />${it.location.locationURL}</a> </p> </j:jelly>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-cfvw-84vq-43mxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2227ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/07/15/5ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/deployer-framework-plugin/commit/8fa2e16bce85ec1b93be60102d7cfb5153876e83ghsaWEB
- jenkins.io/security/advisory/2020-07-15/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-07-15Jenkins Security Advisories · Jul 15, 2020