Miggo Logo

CVE-2020-2234: Missing permission check in Jenkins Pipeline Maven Integration Plugin allow capturing credentials

7.1

CVSS Score
3.0

Basic Information

EPSS Score
0.14756%
Published
5/24/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:pipeline-mavenmaven< 3.8.33.8.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on a form validation method for JDBC URL/credentials testing that failed to: 1) Check Job/Configure permissions (CWE-285/862), and 2) Enforce POST requests (CSRF). The descriptor pattern in Jenkins plugins typically uses 'doValidate[Parameter]' methods for form validation. The advisory explicitly states the fixed version added POST enforcement and permission checks to 'the affected form validation method', strongly indicating a method in the plugin's configuration descriptor class (GlobalPipelineMavenConfig$DescriptorImpl) handling JDBC validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pip*lin* M*v*n Int**r*tion Plu*in *.*.* *n* **rli*r *o*s not p*r*orm * p*rmission ****k in * m*t*o* impl*m*ntin* *orm v*li**tion. T*is *llows us*rs wit* Ov*r*ll/R*** ****ss to J*nkins to *onn**t to *n *tt**k*r-sp**i*i** J*** URL usin* *tt**k*r-sp**i

Reasoning

T** vuln*r**ility **nt*rs on * *orm v*li**tion m*t*o* *or J*** URL/*r***nti*ls t*stin* t**t **il** to: *) ****k Jo*/*on*i*ur* p*rmissions (*W*-***/***), *n* *) *n*or** POST r*qu*sts (*SR*). T** **s*riptor p*tt*rn in J*nkins plu*ins typi**lly us*s '*o