CVE-2020-2197: Missing permission check in Jenkins Project Inheritance Plugin
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.07093%
CWE
Published
5/24/2022
Updated
10/26/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
hudson.plugins:project-inheritance | maven | <= 21.04.03 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability description explicitly identifies the /job/.../getConfigAsXML
endpoint as the affected component. In Jenkins plugin architecture, such endpoints are typically implemented as do[Verb]
methods in Java classes. The combination of missing permission checks (Job/ExtendedRead
) and lack of secret redaction strongly suggests the handler method for this endpoint is vulnerable. The naming follows Jenkins convention where API endpoints map to doGetConfigAsXML
-style methods in job type implementations. While exact code isn't shown, the architectural patterns and vulnerability description provide high confidence in this identification.