CVE-2020-2317

Jenkins FindBugs Plugin 5.0.0 and earlier does not escape the annotation message displayed in tooltips. This improper handling of user-controlled data allows attacker-supplied HTML or JavaScript to be stored and later rendered unsafely in a victim's browser [1][2].

The vulnerability is triggered when an attacker provides a maliciously crafted report file to the Jenkins FindBugs Plugin's post-build step [1]. The report content is processed by the plugin, and the annotation message field is included in tooltip HTML without escaping. A user viewing a build page with such an annotation would unwittingly execute the embedded script, leading to a stored cross-site scripting (XSS) attack [2].

Successful exploitation of this XSS vulnerability can allow an attacker to steal session cookies, impersonate the victim user, or perform actions in Jenkins as that user [1]. Because the attack originates from a stored report, it does not require a separate phishing step and can affect any user who views the relevant build results [2].

Jenkins has released a fix in FindBugs Plugin version 5.0.1 [1]. Users are advised to update to the latest version. The plugin's source repository also reflects the change [3]. As of November 2020, no workarounds other than upgrading or removing the plugin have been documented [1].