VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-re1r-xjv4-sqd3

Essentials
Severities (27)
References (14)
Severity details (12)
Exploits (1)
EPSS
History (1)

Vulnerability ID	VCID-re1r-xjv4-sqd3
Aliases	CVE-2020-2231 GHSA-jpvq-v729-7j2h
Summary	Improper Neutralization of Input During Web Page Generation in Jenkins Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.
Status	Published
Exploitability	2.0
Weighted Severity	6.2
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1	5.4	http://packetstormsecurity.com/files/160616/Jenkins-2.251-LTS-2.235.3-Cross-Site-Scripting.html
generic_textual	MODERATE	http://packetstormsecurity.com/files/160616/Jenkins-2.251-LTS-2.235.3-Cross-Site-Scripting.html
cvssv3	5.4	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2231.json
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2020-2231
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2020-2231
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2020-2231
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2020-2231
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2020-2231
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2020-2231
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2020-2231
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2020-2231
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2020-2231
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2020-2231
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2020-2231
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2020-2231
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2020-2231
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2020-2231
epss	0.00472	https://api.first.org/data/v1/epss?cve=CVE-2020-2231
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-jpvq-v729-7j2h
cvssv3.1	5.4	https://github.com/jenkinsci/jenkins/commit/29c9a8fdeafe26fded955cfba188f50fd4f1786a
generic_textual	MODERATE	https://github.com/jenkinsci/jenkins/commit/29c9a8fdeafe26fded955cfba188f50fd4f1786a
cvssv3.1	5.4	https://jenkins.io/security/advisory/2020-08-12/#SECURITY-1960
generic_textual	MODERATE	https://jenkins.io/security/advisory/2020-08-12/#SECURITY-1960
cvssv3.1	5.4	https://nvd.nist.gov/vuln/detail/CVE-2020-2231
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2020-2231
cvssv3.1	5.4	http://www.openwall.com/lists/oss-security/2020/08/12/4
generic_textual	MODERATE	http://www.openwall.com/lists/oss-security/2020/08/12/4

Reference id	Reference type	URL
		http://packetstormsecurity.com/files/160616/Jenkins-2.251-LTS-2.235.3-Cross-Site-Scripting.html
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2231.json
		https://api.first.org/data/v1/epss?cve=CVE-2020-2231
		https://github.com/jenkinsci/jenkins/commit/29c9a8fdeafe26fded955cfba188f50fd4f1786a
		https://jenkins.io/security/advisory/2020-08-12/#SECURITY-1960
		https://nvd.nist.gov/vuln/detail/CVE-2020-2231
		http://www.openwall.com/lists/oss-security/2020/08/12/4
1875234		https://bugzilla.redhat.com/show_bug.cgi?id=1875234
CVE-2020-2231	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/webapps/49244.txt
GHSA-jpvq-v729-7j2h		https://github.com/advisories/GHSA-jpvq-v729-7j2h
RHSA-2020:3808		https://access.redhat.com/errata/RHSA-2020:3808
RHSA-2020:3841		https://access.redhat.com/errata/RHSA-2020:3841
RHSA-2020:4220		https://access.redhat.com/errata/RHSA-2020:4220
RHSA-2020:4223		https://access.redhat.com/errata/RHSA-2020:4223

Data source	Exploit-DB
Date added	Dec. 14, 2020
Description	Jenkins 2.235.3 - 'X-Forwarded-For' Stored XSS
Ransomware campaign use	Unknown
Source publication date	Dec. 14, 2020
Exploit type	webapps
Platform	java
Source update date	Feb. 17, 2021

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at http://packetstormsecurity.com/files/160616/Jenkins-2.251-LTS-2.235.3-Cross-Site-Scripting.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2231.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/jenkinsci/jenkins/commit/29c9a8fdeafe26fded955cfba188f50fd4f1786a

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://jenkins.io/security/advisory/2020-08-12/#SECURITY-1960

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-2231

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at http://www.openwall.com/lists/oss-security/2020/08/12/4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.64581
EPSS Score	0.00472
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:11:51.502062+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jpvq-v729-7j2h/GHSA-jpvq-v729-7j2h.json	38.0.0