Miggo Logo
Miggo Vulnerability Database
CVE-2020-2110

CVE-2020-2110: Improper Input Validation in Jenkins Script Security Plugin

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2110
GHSA ID
GHSA-qvmf-36h5-3f5v
EPSS Score
0.79061%
CWE
CWE-20
Published
5/24/2022
Updated
12/13/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:script-securitymaven<= 1.691.70

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from incomplete AST annotation validation during script compilation. The commit diff shows critical additions to RejectASTTransformsCustomizer where super.visitImports() and super.visitAnnotations() calls were added to ensure proper traversal of nested AST nodes. This indicates the original implementation failed to: 1) Check for AST transforms in import statements (e.g., '@Grab' in 'import @Grab com.example'), and 2) Validate annotations nested within other annotations. The test cases added in SandboxInterceptorTest.java specifically target these scenarios, confirming these were the vulnerable pathways.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*n**ox prot**tion in J*nkins S*ript S**urity Plu*in *.** *n* **rli*r *oul* ** *ir*umv*nt** *urin* t** s*ript *ompil*tion p**s* *y *pplyin* *ST tr*ns*ormin* *nnot*tions to imports or *y usin* t**m insi** o* ot**r *nnot*tions.

Reasoning

T** vuln*r**ility st*ms *rom in*ompl*t* *ST *nnot*tion v*li**tion *urin* s*ript *ompil*tion. T** *ommit *i** s*ows *riti**l ***itions to R*j**t*STTr*ns*orms*ustomiz*r w**r* sup*r.visitImports() *n* sup*r.visit*nnot*tions() **lls w*r* ***** to *nsur*