CVE-2020-2112: 
Java vulnerability analysis and mitigation

Git Parameter Plugin version 0.9.11 and earlier contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2020-2112. The vulnerability was discovered in February 2020 and affects the parameter name functionality of the plugin. The issue was fixed in version 0.9.12 of the Git Parameter Plugin (Jenkins Advisory).

The vulnerability stems from improper escaping of the parameter name in the Git Parameter Plugin. This results in a stored cross-site scripting vulnerability that can be exploited by users who have Job/Configure permission in Jenkins. The issue has a CVSS severity rating of Medium (Jenkins Advisory).

When successfully exploited, this vulnerability allows attackers with Job/Configure permission to execute arbitrary JavaScript code in the context of other users' browsers when they view the affected Jenkins pages. This could potentially lead to session hijacking, credential theft, or other client-side attacks (Jenkins Advisory).

The vulnerability was fixed in Git Parameter Plugin version 0.9.12, which properly escapes the parameter name shown on the UI. Users should upgrade to this version or later to mitigate the vulnerability. The fix ensures proper escaping of the parameter name when displayed in the user interface (Jenkins Advisory).

The vulnerability was discovered and reported by Sven Grossmann (@svennergr). The Jenkins project acknowledged the discovery in their security advisory (Jenkins Advisory).