8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2160

GHSA ID

GHSA-c735-g9f2-2mvp

EPSS Score

0.48558%

CWE

CWE-352

Published

5/24/2022

Updated

3/12/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-2160

CVE-2020-2160: Cross-Site Request Forgery in Jenkins

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs.

Implementations of that extension point received a different representation of the URL path than the Stapler web framework uses to dispatch requests in Jenkins 2.227 and earlier, LTS 2.204.5 and earlier. This discrepancy allowed attackers to craft URLs that would bypass the CSRF protection of any target URL.

Jenkins now uses the same representation of the URL path to decide whether CSRF protection is needed for a given URL as the Stapler web framework uses.

In case of problems, administrators can disable this security fix by setting the system property hudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO to true.

As an additional safeguard, semicolon (;) characters in the path part of a URL are now banned by default. Administrators can disable this protection by setting the system property jenkins.security.SuspiciousRequestFilter.allowSemicolonsInPath to true.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2160

GHSA ID

GHSA-c735-g9f2-2mvp

EPSS Score

0.48558%

CWE

CWE-352

Published

5/24/2022

Updated

3/12/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.main:jenkins-core	maven	<= 2.204.5	2.204.6
org.jenkins-ci.main:jenkins-core	maven	>= 2.205, <= 2.227	2.228

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from inconsistent URL path handling between CSRF protection logic (CrumbFilter/CrumbExclusion) and the Stapler framework. The commit diff shows the fix introduced a Security1774ServletRequest wrapper to align path processing with Stapler's canonicalization. The original CrumbExclusion.process and CrumbFilter.doFilter methods were vulnerable because they operated on raw paths, allowing attackers to exploit path normalization differences. The added SuspiciousRequestFilter and test cases further confirm the attack vector involved semicolons in paths, which these functions failed to handle correctly before the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *xt*nsion point in J*nkins *llows s*l**tiv*ly *is**lin* *ross-sit* r*qu*st *or**ry (*SR*) prot**tion *or sp**i*i* URLs. Impl*m*nt*tions o* t**t *xt*nsion point r***iv** * *i***r*nt r*pr*s*nt*tion o* t** URL p*t* t**n t** St*pl*r w** *r*m*work us*

Reasoning

T** vuln*r**ility st*mm** *rom in*onsist*nt URL p*t* **n*lin* **tw**n *SR* prot**tion lo*i* (`*rum**ilt*r/*rum**x*lusion`) *n* t** St*pl*r *r*m*work. T** *ommit *i** s*ows t** *ix intro*u*** * `S**urity****S*rvl*tR*qu*st` wr*pp*r to *li*n p*t* pro**s

8.8

Basic Information

Concerned about an active attack path?

CVE-2020-2160: Cross-Site Request Forgery in Jenkins

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI