CVE-2020-2122

Name of the Vulnerable Software and Affected Versions Jenkins Brakeman Plugin versions 0.12 and earlier

Description The issue is related to a stored cross-site scripting vulnerability. It occurs because the plugin does not escape values received from parsed JSON files when rendering them. This vulnerability can be exploited by users who can control the Brakeman post-build step input data.

Recommendations For Jenkins Brakeman Plugin versions 0.12 and earlier, update to version 0.13 or later to resolve the issue. Note that the fix in version 0.13 only applies to newly recorded data after the updated plugin is installed, and historical data may still contain unsafe values. As a temporary workaround, consider restricting access to the Brakeman post-build step input data to minimize the risk of exploitation.