5.4

CVSS Score

Basic Information

CVE ID

CVE-2020-2192

GHSA ID

GHSA-c264-8834-ppj2

EPSS Score

CWE

CWE-352

Published

5/24/2022

Updated

12/7/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-2192

CVE-2020-2192:
CSRF vulnerability in Jenkins Swarm Plugin

Swarm Plugin adds API endpoints to add or remove agent labels. In Swarm Plugin 3.20 and earlier these only require a global Swarm secret to use, and no regular permission check is performed. This allows users with Agent/Create permission to add or remove labels of any agent.

Additionally, these API endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Swarm Plugin 3.21 requires POST requests and Agent/Configure permission for the affected agent to these endpoints. It no longer uses the global Swarm secret for these API endpoints.

(GitHub Advisory)

5.4

CVSS Score

Basic Information

CVE ID

CVE-2020-2192

GHSA ID

GHSA-c264-8834-ppj2

EPSS Score

CWE

CWE-352

Published

5/24/2022

Updated

12/7/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:swarm	maven	< 3.21	3.21

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from three key issues in API endpoints: 1) Missing POST requirement (allowing CSRF via GET), 2) Reliance on a global secret instead of Jenkins' permission system, and 3) Lack of Agent/Configure checks. The commit diff shows these functions were modified to add @POST annotations, remove secret parameters, and introduce nn.checkPermission(Computer.CONFIGURE). The pre-patch versions of these functions in PluginImpl.java contained the vulnerable pattern of using secret-based auth without CSRF protections or proper permission validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Sw*rm Plu*in ***s *PI *n*points to *** or r*mov* ***nt l***ls. In Sw*rm Plu*in *.** *n* **rli*r t**s* only r*quir* * *lo**l Sw*rm s**r*t to us*, *n* no r**ul*r p*rmission ****k is p*r*orm**. T*is *llows us*rs wit* ***nt/*r**t* p*rmission to *** or r*

Reasoning

T** vuln*r**ility st*ms *rom t*r** k*y issu*s in *PI *n*points: *) Missin* POST r*quir*m*nt (*llowin* *SR* vi* **T), *) R*li*n** on * *lo**l s**r*t inst*** o* J*nkins' p*rmission syst*m, *n* *) L**k o* ***nt/*on*i*ur* ****ks. T** *ommit *i** s*ows t*

5.4

Basic Information

Concerned about an active attack path?

CVE-2020-2192: CSRF vulnerability in Jenkins Swarm Plugin

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-2192:
CSRF vulnerability in Jenkins Swarm Plugin

Vulnerability Intelligence
Miggo AI