Moderate severityNVD Advisory· Published Sep 23, 2020· Updated Aug 4, 2024

CVE-2020-2283

Description

Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not escape changeset contents, leading to stored XSS.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Liquibase Runner Plugin 1.4.5 and earlier does not escape changeset contents, leading to stored XSS.

Vulnerability

Jenkins Liquibase Runner Plugin version 1.4.5 and earlier does not escape changeset contents, resulting in a stored cross-site scripting (XSS) vulnerability [1][2]. This occurs because the plugin fails to sanitize user-controlled changeset files before rendering them in the Jenkins UI.

Exploitation

An attacker with the ability to control changeset files evaluated by the plugin can exploit this vulnerability [1]. The attack does not require authentication beyond the ability to provide changeset content, which may be possible through normal Jenkins usage if the user has appropriate permissions.

Impact

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript into Jenkins pages, leading to potential session hijacking, credential theft, or other actions on behalf of an authenticated user [1][2].

Mitigation

The vulnerability is fixed in Liquibase Runner Plugin version 1.4.8 [3][4]. Users should upgrade immediately. The fix involves properly escaping changeset contents to prevent XSS [4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:liquibase-runnerMaven	< 1.4.6	1.4.6

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/liquibase-runner
Range: < 1.4.6
Jenkins Project/Liquibase Runner Plugincpe-rescue
Range: unspecified

Patches

4873c19dc921

Do not use j:out

https://github.com/jenkinsci/liquibase-runner-pluginNathan VoxlandJul 7, 2020via ghsa

commit

1 file changed · +2 −2

src/main/resources/org/jenkinsci/plugins/liquibase/evaluator/ChangeSetDetail/index.jelly+2 −2 modified

@@ -62,7 +62,7 @@
                     <tr>
                         <td colspan="2">
                             <pre>
-                                <j:out  value="${it.exceptionMessage}"/>
+                                ${it.exceptionMessage}
                             </pre>
                         </td>
                     </tr>
@@ -99,4 +99,4 @@
             </style>
         </l:main-panel>
     </l:layout>
-</j:jelly>
\ No newline at end of file
+</j:jelly>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-9hg7-xmf8-jxf9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-2283ghsaADVISORY
www.openwall.com/lists/oss-security/2020/09/23/1ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/liquibase-runner-plugin/commit/4873c19dc921653d994edd6caa9e161c6353c6aeghsaWEB
www.jenkins.io/security/advisory/2020-09-23/ghsax_refsource_CONFIRMWEB

News mentions

Jenkins Security Advisory 2020-09-23
Jenkins Security Advisories · Sep 23, 2020

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000