Jenkins Git Parameter Plugin 0.9.12 and earlier does not escape the repository field on the 'Build with Parameters' page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Git Parameter Plugin 0.9.13 escapes the repository field on the 'Build with Parameters' page.

Affected Packages

Maven org.jenkins-ci.tools:git-parameter

Affected versions: 0 (fixed in 0.9.13)

Related CVEs

CVE-2020-2238

Key Information

GHSA ID

GHSA-j7q2-c6r4-x2jw

Published

May 24, 2022 5:27 PM

Last Modified

December 21, 2022 12:22 AM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.tools:git-parameter

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 5, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.