CVE-2020-2270
Description
Jenkins ClearCase Release Plugin 0.3 and earlier does not escape the composite baseline in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins ClearCase Release Plugin 0.3 and earlier has a stored XSS vulnerability via unescaped composite baseline in badge tooltips, exploitable by users with Job/Configure permission.
Vulnerability
The Jenkins ClearCase Release Plugin, versions 0.3 and earlier, fails to escape the composite baseline value when displayed in a badge tooltip. This results in a stored cross-site scripting (XSS) vulnerability [1][3]. The root cause is improper neutralization of input during web page generation, allowing arbitrary HTML or JavaScript to be stored within the plugin's configuration and rendered in tooltips.
Exploitation
An attacker with Job/Configure permission can set a malicious composite baseline name containing JavaScript code. When other users view job pages with the badge, the injected script executes in their browser within the Jenkins UI context [1]. No additional authentication is required beyond the initial permission, and network access to Jenkins is sufficient.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of other Jenkins users. This can lead to session hijacking, credential theft, or actions performed on behalf of the victim, potentially compromising the entire Jenkins instance [2]. The vulnerability is categorized as stored XSS due to the script being persistently stored in the job configuration.
Mitigation
As of the advisory date (2020-09-16), no fix was available for this plugin [2]. Users are advised to restrict Job/Configure permissions to trusted users only and consider disabling the plugin if not required. The plugin remains vulnerable on all current versions [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jvnet.hudson.plugins:clearcase-releaseMaven | <= 0.3 | — |
Affected products
3- Range: <=0.3
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-2c84-35rv-6q3fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2270ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/09/16/3ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2020-09-16/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-09-16Jenkins Security Advisories · Sep 16, 2020