7.1

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2020-2235

GHSA ID

GHSA-c2hg-2jj6-h8vh

EPSS Score

0.60542%

CWE

CWE-352

Published

5/24/2022

Updated

10/26/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-2235

CVE-2020-2235: CSRF vulnerability in Jenkins Pipeline Maven Integration Plugin allow capturing credentials

Pipeline Maven Integration Plugin 3.8.2 and earlier does not perform a permission check in a method implementing form validation.

This allows users with Overall/Read access to Jenkins to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Pipeline Maven Integration Plugin 3.8.3 requires POST requests and Job/Configure permission for the affected form validation method.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2020-2235

CVE-2020-2235:

7.1

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2020-2235

GHSA ID

GHSA-c2hg-2jj6-h8vh

EPSS Score

0.60542%

CWE

CWE-352

Published

5/24/2022

Updated

10/26/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:pipeline-maven	maven	< 3.8.3	3.8.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers on a form validation method with two critical flaws: 1) Missing permission check allowing low-privilege users (Overall/Read) to execute it, and 2) Lack of POST request requirement enabling CSRF. In Jenkins plugins, form validation methods typically follow the 'doCheck[ParameterName]' naming pattern and reside in Descriptor/Publisher classes. The credential testing functionality described aligns with JDBC connection validation, pointing to a method like doCheckJdbcUrl in the Maven JDBC publishing component. The high confidence comes from the vulnerability pattern matching Jenkins plugin security best practices - form validation methods require POST and specific permissions, which were explicitly added in the patched version.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2020-2235: CSRF vulnerability in Jenkins Pipeline Maven Integration Plugin allow capturing credentials

CVE-2020-2235:

7.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

CVE-2020-2235: CSRF vulnerability in Jenkins Pipeline Maven Integration Plugin allow capturing credentials

7.1

7.1

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI