CVE-2020-2096 Scanner

Jenkins Gitlab Hook Plugin is a software tool designed to help developers improve their workflow by automating the process of building and testing code changes. The plugin acts as a bridge between Jenkins and GitLab, allowing developers to trigger builds of their code and receive notifications of the results directly within their preferred software development tools. With Jenkins Gitlab Hook Plugin, developers can save time and ensure code quality by automating these essential tasks.

However, the plugin was found to have a serious vulnerability, identified as CVE-2020-2096. This flaw allows attackers to exploit the build_now endpoint by injecting malicious code in the project name. This results in a reflected cross-site scripting (XSS) attack that can compromise any user who clicks on the link or views the malicious page. The vulnerability was confirmed in Jenkins Gitlab Hook Plugin 1.4.2 and earlier versions.

When exploited, this vulnerability can lead to serious consequences. An attacker can steal sensitive information from users, such as passwords, cookies, and login credentials, by tricking them into clicking on a malicious link. Additionally, this vulnerability can be used to launch phishing attacks, spread malware, or take control of victim's computers.

s4e.io, which provides in-depth security vulnerability audits for web applications, can quickly find and help users resolve this vulnerability and others like it. With s4e.io's professional tools and expertise, users can ensure their digital assets can remain secure and protected against threats. By identifying vulnerabilities and offering tailored solutions, s4e.io can assist users in safeguarding their web applications from threats like CVE-2020-2096.

REFERENCES

• https://jenkins.io/security/advisory/2020-01-15/#SECURITY-1683 
• openwall.com: [oss-security] 20200115 Multiple vulnerabilities in Jenkins plugins 
• http://packetstormsecurity.com/files/155967/Jenkins-Gitlab-Hook-1.4.2-Cross-Site-Scripting.html