Miggo Logo
Miggo Vulnerability Database
CVE-2020-2216

CVE-2020-2216:
Missing permission checks in Zephyr for JIRA Test Management Plugin

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2216
GHSA ID
GHSA-2q7j-52xg-x8fm
EPSS Score
0.07093%
CWE
CWE-285
Published
5/24/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:zephyr-for-jira-test-managementmaven<= 1.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from a form validation handler (typically named doTestConnection in Jenkins plugins) that didn't implement proper authorization checks. Jenkins security advisories explicitly mention this pattern where form validation endpoints lack permission checks (CWE-862) and POST enforcement (CWE-285). The descriptor class (JiraDescriptorImpl) is the standard location for such configuration validation methods in Jenkins plugins.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* missin* p*rmission ****k in J*nkins Z*p*yr *or JIR* T*st M*n***m*nt Plu*in *.* *n* **rli*r *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *onn**t to *n *tt**k*r-sp**i*i** *TTP s*rv*r usin* *tt**k*r-sp**i*i** us*rn*m* *n* p*sswor*.

Reasoning

T** vuln*r**ility st*ms *rom * *orm v*li**tion **n*l*r (typi**lly n*m** *oT*st*onn**tion in J*nkins plu*ins) t**t *i*n't impl*m*nt prop*r *ut*oriz*tion ****ks. J*nkins s**urity **visori*s *xpli*itly m*ntion t*is p*tt*rn w**r* *orm v*li**tion *n*point