CVE-2020-2136 — Improper Neutralization of Input During Web Page Generation in Jenkins Git Plugi

Description

Jenkins Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation, resulting in a stored cross-site scripting vulnerability.

How to fix CVE-2020-2136

To remediate CVE-2020-2136, upgrade the affected package to a fixed version below.

Maven/org.jenkins-ci.plugins:git—upgrade to 4.2.1 or later

Is CVE-2020-2136 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.2.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2136
WEBgithub.com/jenkinsci/git-plugin/commit/f581998be38cfed8e080c672c4b7caa8b4a45979
WEBjenkins.io/security/advisory/2020-03-09/#SECURITY-1723
WEBwww.openwall.com/lists/oss-security/2020/03/09/1