CVE-2020-2316

Jenkins Static Analysis Utilities Plugin versions 1.96 and earlier fail to escape annotation messages when rendering tooltips. This flaw allows attackers to inject arbitrary HTML or JavaScript into annotation messages, which are then stored and served to users viewing the tooltip [1][2].

To exploit this stored cross-site scripting (XSS) vulnerability, an attacker must have the Job/Configure permission on a Jenkins job. They can modify an annotation message to include malicious script. When other users (including administrators) hover over the affected tooltip, the script executes in the context of their browser session [1].

Successful exploitation enables the attacker to perform actions on behalf of the victim within Jenkins, such as manipulating jobs, accessing credentials, or even escalating privileges if the victim is an administrator. The XSS is stored, meaning the payload persists until the annotation is removed or the plugin is updated [1].

The vulnerability is addressed in Static Analysis Utilities Plugin version 1.97, which properly escapes annotation messages. Users are advised to update to this version or later. No workaround is provided for earlier versions [1].