Miggo Logo
Miggo Vulnerability Database
CVE-2020-2198

CVE-2020-2198: Missing permission check in Jenkins Project Inheritance Plugin

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2198
GHSA ID
GHSA-w53q-r5cw-6vjh
EPSS Score
0.1451%
CWE
CWE-522
Published
5/24/2022
Updated
1/31/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
hudson.plugins:project-inheritancemaven<= 21.04.03

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers around the '/getConfigAsXML' endpoint which: 1) Lacks permission checks (should require Item/ExtendedRead/Configure but only checks Item/Read), and 2) Doesn't apply Jenkins' standard secret redaction mechanism. In Jenkins plugin architecture, API endpoints like this are typically implemented as do[MethodName] handlers in Action classes. The combination of missing permission validation and raw secret exposure strongly points to the endpoint handler function being vulnerable. The naming convention 'getConfigAsXML' matches the described vulnerable endpoint, and secret redaction would normally be handled in the XML serialization layer which this function appears to bypass.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Proj**t In**rit*n** Plu*in **.**.** *n* **rli*r *o*s not r****t *n*rypt** s**r*ts in t** '**t*on*i**sXML' *PI URL w**n tr*nsmittin* jo* *on*i*.xml **t* to us*rs wit*out Jo*/*on*i*ur*.

Reasoning

T** vuln*r**ility **nt*rs *roun* t** '/**t*on*i**sXML' *n*point w*i**: *) L**ks p*rmission ****ks (s*oul* r*quir* `It*m/*xt*n***R***/*on*i*ur*` *ut only ****ks `It*m/R***`), *n* *) *o*sn't *pply `J*nkins'` st*n**r* s**r*t r****tion m****nism. In `J*n
CVE-2020-2198: Jenkins Inherit API Secret Leak | Miggo