Miggo Logo

CVE-2020-2160: Cross-Site Request Forgery in Jenkins

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.48558%
Published
5/24/2022
Updated
3/12/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven<= 2.204.52.204.6
org.jenkins-ci.main:jenkins-coremaven>= 2.205, <= 2.2272.228

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from inconsistent URL path handling between CSRF protection logic (CrumbFilter/CrumbExclusion) and the Stapler framework. The commit diff shows the fix introduced a Security1774ServletRequest wrapper to align path processing with Stapler's canonicalization. The original CrumbExclusion.process and CrumbFilter.doFilter methods were vulnerable because they operated on raw paths, allowing attackers to exploit path normalization differences. The added SuspiciousRequestFilter and test cases further confirm the attack vector involved semicolons in paths, which these functions failed to handle correctly before the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *xt*nsion point in J*nkins *llows s*l**tiv*ly *is**lin* *ross-sit* r*qu*st *or**ry (*SR*) prot**tion *or sp**i*i* URLs. Impl*m*nt*tions o* t**t *xt*nsion point r***iv** * *i***r*nt r*pr*s*nt*tion o* t** URL p*t* t**n t** St*pl*r w** *r*m*work us*

Reasoning

T** vuln*r**ility st*mm** *rom in*onsist*nt URL p*t* **n*lin* **tw**n *SR* prot**tion lo*i* (`*rum**ilt*r/*rum**x*lusion`) *n* t** St*pl*r *r*m*work. T** *ommit *i** s*ows t** *ix intro*u*** * `S**urity****S*rvl*tR*qu*st` wr*pp*r to *li*n p*t* pro**s