Miggo Logo

CVE-2020-2197: Missing permission check in Jenkins Project Inheritance Plugin

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.07093%
Published
5/24/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
hudson.plugins:project-inheritancemaven<= 21.04.03

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly identifies the /job/.../getConfigAsXML endpoint as the affected component. In Jenkins plugin architecture, such endpoints are typically implemented as do[Verb] methods in Java classes. The combination of missing permission checks (Job/ExtendedRead) and lack of secret redaction strongly suggests the handler method for this endpoint is vulnerable. The naming follows Jenkins convention where API endpoints map to doGetConfigAsXML-style methods in job type implementations. While exact code isn't shown, the architectural patterns and vulnerability description provide high confidence in this identification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins limits ****ss to jo* *on*i*ur*tion XML **t* (`*on*i*.xml`) to us*rs wit* Jo*/*xt*n***R*** p*rmission, typi**lly impli** *y Jo*/*on*i*ur* p*rmission. Proj**t In**rit*n** Plu*in **s s*v*r*l jo* insp**tion ***tur*s, in*lu*in* t** *PI URL `/jo*/…

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s t** `/jo*/.../**t*on*i**sXML` *n*point *s t** *****t** *ompon*nt. In J*nkins plu*in *r**it**tur*, su** *n*points *r* typi**lly impl*m*nt** *s `*o[V*r*]` m*t*o*s in J*v* *l*ss*s. T** *om*in*tion o* m