CVE-2020-2292
Description
Jenkins Release Plugin 2.10.2 and earlier does not escape the release version in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Release/Release permission.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Release Plugin 2.10.2 and earlier has a stored XSS vulnerability via unescaped release version in badge tooltip.
Vulnerability
Description
Jenkins Release Plugin 2.10.2 and earlier does not escape the release version when it is displayed in a badge tooltip on build pages. This flaw allows an attacker to inject malicious HTML or JavaScript code into the tooltip, leading to stored cross-site scripting (XSS) [1][2].
Exploitation
Prerequisites
An attacker must have at least Release/Release permission in Jenkins to exploit this vulnerability. By crafting a release version string containing JavaScript, the attacker can store the payload on the Jenkins server. When other users (including administrators) hover over the badge, the injected script executes in their browser context [1][2].
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's Jenkins session. This can lead to theft of session cookies, modification of job configurations, credential extraction, or other actions that the victim user can perform [1][2].
Mitigation
Jenkins plugin maintainers have acknowledged the issue and provided a fix in commit 99814a0, which escapes the release version before rendering it in the tooltip [4]. Users are advised to update to a patched version once available or apply the fix manually [3]. The vulnerability has been assigned CVE-2020-2292 with a CVSS v3.1 base score of 6.5 (Medium) [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:releaseMaven | < 2.11 | 2.11 |
Affected products
3- Range: <=2.10.2
- Range: unspecified
Patches
199814a0c82f5SECURITY-1928 Fix stored xss (#33)
1 file changed · +1 −1
src/main/java/hudson/plugins/release/ReleaseWrapper.java+1 −1 modified@@ -737,7 +737,7 @@ public ReleaseBuildBadgeAction() { } public String getReleaseVersion() { - return releaseVersion; + return releaseVersion != null ? Util.xmlEscape(releaseVersion) : null; } public String getIconFileName() { return null; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-vmg8-g8j3-m355ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2292ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/10/08/5ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/release-plugin/commit/99814a0c82f5edf34ad297c2e98af9315bc6b5c2ghsaWEB
- www.jenkins.io/security/advisory/2020-10-08/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-10-08Jenkins Security Advisories · Oct 8, 2020