CVE-2020-2174: 
Java vulnerability analysis and mitigation

The Jenkins AWSEB Deployment Plugin version 0.3.19 and earlier contains a reflected cross-site scripting (XSS) vulnerability identified as CVE-2020-2174. The vulnerability was discovered and reported by Wadeck Follonier of CloudBees, Inc., and was publicly disclosed on April 7, 2020. This security issue affects the AWSEB Deployment Plugin, which is a component of the Jenkins automation server (Jenkins Advisory, NVD).

The vulnerability stems from the plugin's failure to properly escape various values that are printed as part of form validation output. This implementation flaw creates a reflected cross-site scripting vulnerability. The severity of this vulnerability is rated as Medium, with a CVSS v3.1 Base Score of 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (NVD).

When successfully exploited, this vulnerability could allow an attacker to execute malicious scripts in a user's browser context when the user interacts with the affected form validation output. This could potentially lead to unauthorized access to sensitive information, session hijacking, or other malicious actions within the context of the affected Jenkins instance (Jenkins Advisory).

The vulnerability has been fixed in AWSEB Deployment Plugin version 0.3.20, which properly escapes the values printed as part of the affected form validation endpoints. Users are strongly advised to upgrade to this version or later to address the security issue. All versions up to and including 0.3.19 are considered vulnerable (Jenkins Advisory).