CVE-2020-2229 in Jenkins
Summary
by MITRE
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons, resulting in a stored cross-site scripting (XSS) vulnerability.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/05/2025
This vulnerability exists in Jenkins versions up to 2.251 and LTS versions up to 2.235.3 where the application fails to properly sanitize tooltip content associated with help icons. The issue stems from insufficient input validation and output escaping mechanisms within the web interface, allowing malicious actors to inject arbitrary JavaScript code through tooltip text fields. When users interact with help icons containing crafted malicious content, the unescaped script executes in the context of the victim's browser session, creating a persistent cross-site scripting attack vector. The vulnerability is classified as a stored XSS flaw because the malicious payload is stored within the application's data store and subsequently served to other users without proper sanitization. This represents a critical security risk as it enables attackers to execute arbitrary code in the browser of authenticated users, potentially leading to complete session hijacking, data exfiltration, or privilege escalation within the Jenkins environment. The flaw directly maps to CWE-79: Improper Neutralization of Input During Web Page Generation, which is a fundamental weakness in web application security. From an operational perspective, this vulnerability can be exploited through various attack vectors including malicious plugin configurations, job descriptions, or any user-controllable tooltip content. The attack surface is broad as Jenkins administrators and developers frequently use tooltip help text to provide contextual information, making it an attractive target for attackers seeking persistent access. The impact extends beyond individual user sessions to potentially compromise entire CI/CD pipelines, as Jenkins often runs with elevated privileges and handles sensitive build artifacts and credentials. The ATT&CK framework categorizes this vulnerability under T1059.001: Command and Scripting Interpreter - PowerShell and T1566.001: Phishing - Spearphishing Attachment, as attackers can leverage the XSS to deliver additional malicious payloads or redirect users to compromised sites. Organizations should immediately upgrade to Jenkins versions 2.252 and later for the main release or LTS 2.235.4 and later to remediate this vulnerability. Additional mitigations include implementing Content Security Policy headers, conducting regular security audits of user-generated content, and establishing strict input validation policies for all tooltip and help text fields. The vulnerability demonstrates the critical importance of proper output escaping in web applications, particularly in environments where user interaction with help systems is common. Security teams should also consider implementing web application firewalls and monitoring for suspicious tooltip content patterns to detect potential exploitation attempts.