4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2197

GHSA ID

GHSA-hj32-9mcw-5cwh

EPSS Score

0.07093%

CWE

CWE-285

Published

5/24/2022

Updated

10/26/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-2197

CVE-2020-2197: Missing permission check in Jenkins Project Inheritance Plugin

Jenkins limits access to job configuration XML data (config.xml) to users with Job/ExtendedRead permission, typically implied by Job/Configure permission. Project Inheritance Plugin has several job inspection features, including the API URL /job/…/getConfigAsXML for its Inheritance Project job type that does something similar.

Project Inheritance Plugin 21.04.03 and earlier does not check permissions for this new endpoint, granting access to job configuration XML data to every user with Job/Read permission.

Additionally, the encrypted values of secrets stored in the job configuration are not redacted, as they would be by the config.xml API for users without Job/Configure permission.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2197

GHSA ID

GHSA-hj32-9mcw-5cwh

EPSS Score

0.07093%

CWE

CWE-285

Published

5/24/2022

Updated

10/26/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
hudson.plugins:project-inheritance	maven	<= 21.04.03

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly identifies the /job/.../getConfigAsXML endpoint as the affected component. In Jenkins plugin architecture, such endpoints are typically implemented as do[Verb] methods in Java classes. The combination of missing permission checks (Job/ExtendedRead) and lack of secret redaction strongly suggests the handler method for this endpoint is vulnerable. The naming follows Jenkins convention where API endpoints map to doGetConfigAsXML-style methods in job type implementations. While exact code isn't shown, the architectural patterns and vulnerability description provide high confidence in this identification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins limits ****ss to jo* *on*i*ur*tion XML **t* (`*on*i*.xml`) to us*rs wit* Jo*/*xt*n***R*** p*rmission, typi**lly impli** *y Jo*/*on*i*ur* p*rmission. Proj**t In**rit*n** Plu*in **s s*v*r*l jo* insp**tion ***tur*s, in*lu*in* t** *PI URL `/jo*/…

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s t** `/jo*/.../**t*on*i**sXML` *n*point *s t** *****t** *ompon*nt. In J*nkins plu*in *r**it**tur*, su** *n*points *r* typi**lly impl*m*nt** *s `*o[V*r*]` m*t*o*s in J*v* *l*ss*s. T** *om*in*tion o* m

4.3

Basic Information

Concerned about an active attack path?

CVE-2020-2197: Missing permission check in Jenkins Project Inheritance Plugin

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI