High severityNVD Advisory· Published Sep 16, 2020· Updated Aug 4, 2024

CVE-2020-2256

Description

Jenkins Pipeline Maven Integration Plugin 3.9.2 and earlier has a stored XSS vulnerability via unescaped upstream job display names.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Pipeline Maven Integration Plugin 3.9.2 and earlier has a stored XSS vulnerability via unescaped upstream job display names.

Vulnerability

Details

Jenkins Pipeline Maven Integration Plugin versions 3.9.2 and earlier fail to escape the display name of an upstream job when it is shown as part of a build cause [1][2]. This lack of output encoding allows an attacker to inject malicious HTML or JavaScript into the Jenkins interface [4].

Exploitation

Prerequisites

The flaw is stored cross-site scripting (XSS) and requires an attacker to have Job/Configure permission [2][4]. The attacker sets a crafted display name on a job, and when that job triggers a downstream build, the unescaped display name renders in the build cause page viewed by other users [2].

Impact

A successful exploit can lead to arbitrary HTML and JavaScript execution in the context of a victim's Jenkins session [2]. This could allow attackers to perform actions on behalf of authenticated users, steal session tokens, or access sensitive information within the Jenkins environment [2][4].

Mitigation

Pipeline Maven Integration Plugin version 3.9.3 fixes the vulnerability by properly escaping the upstream job display name [1][3]. Users should upgrade to this version or later. No workaround is available; upgrading is the recommended remediation [2][4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:pipeline-mavenMaven	< 3.9.3	3.9.3

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/pipeline-maven
Range: < 3.9.3
Jenkins Project/Pipeline Maven Integration Plugincpe-rescue
Range: unspecified

Patches

78b8e6d49bff

[SECURITY-1976]

https://github.com/jenkinsci/pipeline-maven-pluginArnaud HéritierSep 14, 2020via ghsa

commit

1 file changed · +4 −4

jenkins-plugin/src/main/resources/org/jenkinsci/plugins/pipeline/maven/cause/MavenDependencyUpstreamCause/description.jelly

+4 −4 modified

@@ -32,20 +32,20 @@ Based on jenkins-core-2.46.3.jar!/hudson/model/Cause/UpstreamCause/description.j
             <j:when test="${it.upstreamUrl!=null and app.getItemByFullName(it.upstreamProject)!=null}">
                 <j:choose>
                     <j:when test="${app.getItemByFullName(it.upstreamProject).getBuildByNumber(it.upstreamBuild)!=null}">
-                        <j:out value="${%started_by_project(app.getItemByFullName(it.upstreamProject).fullDisplayName,it.upstreamBuild.toString(),it.upstreamUrl,rootURL,it.mavenArtifactsDescription)}"/>
+                        ${%started_by_project(app.getItemByFullName(it.upstreamProject).fullDisplayName,it.upstreamBuild.toString(),it.upstreamUrl,rootURL,it.mavenArtifactsDescription)}
                     </j:when>
                     <j:otherwise>
-                        <j:out value="${%started_by_project_with_deleted_build(app.getItemByFullName(it.upstreamProject).fullDisplayName,it.upstreamBuild.toString(),it.upstreamUrl,rootURL,it.mavenArtifactsDescription)}"/>
+                        ${%started_by_project_with_deleted_build(app.getItemByFullName(it.upstreamProject).fullDisplayName,it.upstreamBuild.toString(),it.upstreamUrl,rootURL,it.mavenArtifactsDescription)}
                     </j:otherwise>
                 </j:choose>
             </j:when>
             <j:otherwise>
-                <j:out value="${it.shortDescription}"/>
+                ${it.shortDescription}
             </j:otherwise>
         </j:choose>
 
         <j:if test="${!it.upstreamCauses.isEmpty()}">
-            <br /><j:out value="${%caused_by}" />
+            <br />${%caused_by}
             <ul>
                 <j:forEach var="c" items="${it.upstreamCauses}">
                     <li><st:include page="description.jelly" it="${c}" /></li>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-hq2h-9mc3-h6w2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-2256ghsaADVISORY
www.openwall.com/lists/oss-security/2020/09/16/3ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/pipeline-maven-plugin/commit/78b8e6d49bffcc6b65064a882c03a2b4bb157230ghsaWEB
www.jenkins.io/security/advisory/2020-09-16/ghsax_refsource_CONFIRMWEB

News mentions

Jenkins Security Advisory 2020-09-16
Jenkins Security Advisories · Sep 16, 2020

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000