Miggo Logo
Miggo Vulnerability Database
CVE-2020-2272

CVE-2020-2272: Missing permission checks in Jenkins ElasTest Plugin

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2272
GHSA ID
GHSA-mr43-vf8q-q5f2
EPSS Score
0.07093%
CWE
CWE-862
Published
5/24/2022
Updated
11/5/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:elastestmaven<= 1.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from a missing permission check in a form validation method. Jenkins plugins typically implement configuration validation methods using doValidate patterns in DescriptorImpl classes. The advisory explicitly mentions a form validation method with missing authorization (CWE-862) that handles connection testing. The combination of credential handling and URL validation without permission checks matches the described attack vector. The function name and location follow Jenkins plugin conventions for configuration validation handlers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* missin* p*rmission ****k in J*nkins *l*sT*st Plu*in *.*.* *n* **rli*r *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *onn**t to *n *tt**k*r-sp**i*i** URL usin* *tt**k*r-sp**i*i** *r***nti*ls.

Reasoning

T** vuln*r**ility st*ms *rom * missin* p*rmission ****k in * *orm `v*li**tion` m*t*o*. J*nkins `plu*ins` typi**lly impl*m*nt `*on*i*ur*tion` `v*li**tion` m*t*o*s usin* `*oV*li**t*` p*tt*rns in `**s*riptorImpl` *l*ss*s. T** **visory *xpli*itly m*ntion