Miggo Logo
Miggo Vulnerability Database
CVE-2020-2260

CVE-2020-2260: Missing permission check in Perfecto Plugin

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2260
GHSA ID
GHSA-3h2q-m63q-9cf6
EPSS Score
0.07093%
CWE
CWE-862
Published
5/24/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.jenkins.plugins:perfectomaven<= 1.171.18

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from a missing permission check in the connection test method. Jenkins plugins typically implement such functionality in descriptor classes (DescriptorImpl) with methods named doTest* for form validation. The pattern matches CWE-862 (Missing Authorization) where security checks are absent in sensitive operations. The high confidence comes from: 1) Standard Jenkins plugin architecture patterns 2) The explicit mention of a connection test method in advisories 3) The nature of the fix requiring Administer permission suggests authorization was added to an existing endpoint.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

P*r***to Plu*in *.** *n* **rli*r *o*s not p*r*orm * p*rmission ****k in * m*t*o* impl*m*ntin* * *onn**tion t*st. T*is *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *onn**t to *n *tt**k*r-sp**i*i** *TTP URL usin* *tt**k*r-sp**i*i** us*rn*m* *n* p*

Reasoning

T** vuln*r**ility st*ms *rom * missin* p*rmission ****k in t** *onn**tion t*st m*t*o*. J*nkins plu*ins typi**lly impl*m*nt su** *un*tion*lity in **s*riptor *l*ss*s (`**s*riptorImpl`) wit* m*t*o*s n*m** `*oT*st*` *or *orm v*li**tion. T** p*tt*rn m*t**