Miggo Logo
Miggo Vulnerability Database
CVE-2020-2241

CVE-2020-2241:
CSRF vulnerability in Jenkins Database Plugin

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2241
GHSA ID
GHSA-9rvw-7mx7-h53x
EPSS Score
0.61908%
CWE
CWE-352
Published
5/24/2022
Updated
12/7/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:databasemaven<= 1.61.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows critical security fixes: 1) Added @POST annotations to enforce HTTP POST requests, 2) Introduced Jenkins.get().checkPermission(Jenkins.ADMINISTER) for authorization checks, and 3) Changed password parameter type to Secret. The affected methods handling database validation (doValidate) and driver checks (doCheckDriver) were previously accessible via GET requests without proper authentication, making them CSRF vectors. The vulnerability documentation explicitly states these endpoints were protected by adding POST requirements and permission checks in version 1.7.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-sit* r*qu*st *or**ry (*SR*) vuln*r**ility in J*nkins **t***s* Plu*in *.* *n* **rli*r *llows *tt**k*rs to *onn**t to *n *tt**k*r-sp**i*i** **t***s* s*rv*r usin* *tt**k*r-sp**i*i** *r***nti*ls. **t***s* Plu*in *.* r*quir*s POST r*qu*sts *or t*

Reasoning

T** *ommit *i** s*ows *riti**l s**urity *ix*s: *) ***** @POST *nnot*tions to *n*or** *TTP POST r*qu*sts, *) Intro*u*** J*nkins.**t().****kP*rmission(J*nkins.**MINIST*R) *or *ut*oriz*tion ****ks, *n* *) ***n*** p*sswor* p*r*m*t*r typ* to S**r*t. T** *