CVE-2020-2236

Jenkins Yet Another Build Visualizer Plugin versions 1.11 and earlier do not properly escape tooltip content displayed in the build visualization interface [1]. This failure to sanitize user-controllable input results in a stored cross-site scripting (XSS) vulnerability [2]. The root cause is the lack of output encoding before tooltip values are rendered in the browser, allowing injected scripts to persist and execute in the context of other users' sessions.

To exploit this vulnerability, an attacker must have Run/Update (i.e., Job/Configure) permission on a Jenkins job [1]. The attacker can inject malicious JavaScript into a tooltip value—for example, by setting the display name or other job metadata that gets used as tooltip content [2]. When other users (including administrators) view the build flow graph, the crafted tooltip triggers the script in their browsers. No additional user interaction beyond viewing the affected page is required.

Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary JavaScript in the Jenkins UI on behalf of victims [2]. This can be leveraged to steal session cookies, manipulate Jenkins configuration, or perform actions as the victim user, depending on their permissions. The vulnerability has been assigned a CVSS v3.1 base score of 8.0 (High) by the Jenkins security team [2].

The issue is resolved in Yet Another Build Visualizer Plugin version 1.12 [2][3]. Users are advised to upgrade to this version immediately. For Jenkins core installations, the advisory also notes that similar tooltip escaping issues were fixed in Jenkins 2.252 and LTS 2.235.4 [2]. No workaround is available beyond upgrading, as the plugin's core functionality relies on rendering tooltip content without proper sanitization in earlier releases.