Vulnerability Details CVE-2020-2096
Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.937
EPSS Ranking 99.8%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
- http://packetstormsecurity.com/files/155967/Jenkins-Gitlab-Hook-1.4.2-Cross-Site-Scripting.html
- http://www.openwall.com/lists/oss-security/2020/01/15/1
- https://jenkins.io/security/advisory/2020-01-15/#SECURITY-1683
- http://packetstormsecurity.com/files/155967/Jenkins-Gitlab-Hook-1.4.2-Cross-Site-Scripting.html
- http://www.openwall.com/lists/oss-security/2020/01/15/1
- https://jenkins.io/security/advisory/2020-01-15/#SECURITY-1683
Products affected by CVE-2020-2096
-
cpe:2.3:a:jenkins:gitlab_hook:0.1.1
-
cpe:2.3:a:jenkins:gitlab_hook:0.2.1
-
cpe:2.3:a:jenkins:gitlab_hook:0.2.10
-
cpe:2.3:a:jenkins:gitlab_hook:0.2.11
-
cpe:2.3:a:jenkins:gitlab_hook:0.2.12
-
cpe:2.3:a:jenkins:gitlab_hook:0.2.7
-
cpe:2.3:a:jenkins:gitlab_hook:0.2.8
-
cpe:2.3:a:jenkins:gitlab_hook:0.2.9
-
cpe:2.3:a:jenkins:gitlab_hook:1.0.0
-
cpe:2.3:a:jenkins:gitlab_hook:1.1.0
-
cpe:2.3:a:jenkins:gitlab_hook:1.2.0
-
cpe:2.3:a:jenkins:gitlab_hook:1.3.0
-
cpe:2.3:a:jenkins:gitlab_hook:1.3.1
-
cpe:2.3:a:jenkins:gitlab_hook:1.4.0
-
cpe:2.3:a:jenkins:gitlab_hook:1.4.1
-
cpe:2.3:a:jenkins:gitlab_hook:1.4.2