High severityNVD Advisory· Published Sep 1, 2020· Updated Aug 4, 2024

CVE-2020-2244

Description

Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Build Failure Analyzer Plugin 1.27.0 and earlier have a stored XSS vulnerability due to unescaped matching text in form validation responses.

Vulnerability

Description Jenkins Build Failure Analyzer Plugin versions 1.27.0 and earlier fail to escape matching text in a form validation response. This allows attackers to inject arbitrary HTML and JavaScript, leading to a stored cross-site scripting (XSS) vulnerability [1][3].

Exploitation

An attacker must be able to provide console output for builds that are used to test build log indications [1]. The vulnerability is triggered when the plugin processes a build log and displays the matching text in a validation response without proper encoding [3]. No special authentication is required beyond being able to trigger builds with crafted console output.

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the Jenkins user viewing the affected page. This could lead to session hijacking, credential theft, or other malicious actions within Jenkins [1].

Mitigation

The Build Failure Analyzer Plugin version 1.27.1 fixes the issue by properly escaping matching text in form validation responses [2]. Users should update to this version or later. No workarounds are mentioned in the advisory.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzerMaven	< 1.27.1	1.27.1

Affected products

ghsa-coords
pkg:maven/com.sonyericsson.jenkins.plugins.bfa/build-failure-analyzer
Range: < 1.27.1
Jenkins project/Jenkins Build Failure Analyzer Pluginv5
Range: unspecified

Patches

c974938f213d

[SECURITY-1770]

https://github.com/jenkinsci/build-failure-analyzer-pluginDaniel BeckSep 1, 2020via ghsa

commit

1 file changed · +1 −1

src/main/java/com/sonyericsson/jenkins/plugins/bfa/model/indication/BuildLogIndication.java+1 −1 modified

@@ -327,7 +327,7 @@ && isValidBuildId(urlParts[2])) {
                             if (foundIndication == null) {
                                 return FormValidation.warning(Messages.StringDoesNotMatchPattern());
                             }
-                            return FormValidation.okWithMarkup(foundIndication.getFirstMatchingLine());
+                            return FormValidation.ok(foundIndication.getFirstMatchingLine());
                         } catch (IOException e) {
                             return FormValidation.error(Messages.FailedToScanFile_Error());
                         }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-p5jh-8rxp-wqjjghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-2244ghsaADVISORY
www.openwall.com/lists/oss-security/2020/09/01/3ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/build-failure-analyzer-plugin/commit/c974938f213df0109269cb1b4508b8a1ec19f0ffghsaWEB
jenkins.io/security/advisory/2020-09-01/ghsax_refsource_CONFIRMWEB

News mentions

Jenkins Security Advisory 2020-09-01
Jenkins Security Advisories · Sep 1, 2020

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000