Miggo Logo
Miggo Vulnerability Database
CVE-2020-2237

CVE-2020-2237: CSRF vulnerability in Jenkins Flaky Test Handler Plugin

4.3

CVSS Score
3.0

Basic Information

CVE ID
CVE-2020-2237
GHSA ID
GHSA-vjf8-xw6c-wjhq
EPSS Score
0.63852%
CWE
CWE-352
Published
5/24/2022
Updated
1/29/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:flaky-test-handlermaven< 1.1.01.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing HTTP POST requirement for state-changing actions. Jenkins plugins typically implement CSRF protection by restricting actions to POST requests and using crumb tokens. The advisory explicitly states the 'Deflake this build' feature lacked POST enforcement. While exact implementation details aren't available, the standard Jenkins plugin pattern would involve a handler method like doDeflake in an Action class. The confidence is high because: 1) The vulnerability description directly implicates the rebuild functionality 2) Jenkins security patterns strongly correlate HTTP method validation with action handler methods 3) The 'Deflake' action is a clear state-changing operation requiring POST protection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*l*ky T*st **n*l*r Plu*in *.*.* *n* **rli*r *o*s not r*quir* POST r*qu*sts *or t** "***l*k* t*is *uil*" ***tur*, r*sultin* in * *ross-sit* r*qu*st *or**ry (*SR*) vuln*r**ility. T*is vuln*r**ility *llows *tt**k*rs to r**uil* * proj**t *t * pr*vious *

Reasoning

T** vuln*r**ility st*ms *rom missin* *TTP POST r*quir*m*nt *or st*t*-***n*in* **tions. J*nkins plu*ins typi**lly impl*m*nt *SR* prot**tion *y r*stri*tin* **tions to POST r*qu*sts *n* usin* *rum* tok*ns. T** **visory *xpli*itly st*t*s t** '***l*k* t*i