Miggo Logo
Miggo Vulnerability Database
CVE-2020-2273

CVE-2020-2273: CSRF vulnerability in Jenkins ElasTest Plugin

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2273
GHSA ID
GHSA-66rm-wg7m-8pgv
EPSS Score
0.84771%
CWE
CWE-352
Published
5/24/2022
Updated
10/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:elastestmaven<= 1.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The advisory explicitly states the vulnerability stems from a form validation method that lacks permission checks and doesn't enforce POST requests. In Jenkins plugins, form validation methods like doCheck* in Descriptor classes are common targets for CSRF when missing @RequirePOST. The method name 'doCheckUrl' is inferred from the credential/URL validation context described in the vulnerability. The high confidence comes from the direct match between the described vulnerability mechanics (missing permission check + CSRF via GET) and Jenkins plugin development patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-sit* r*qu*st *or**ry (*SR*) vuln*r**ility in J*nkins *l*sT*st Plu*in *.*.* *n* **rli*r *llows *tt**k*rs to *onn**t to *n *tt**k*r-sp**i*i** URL usin* *tt**k*r-sp**i*i** *r***nti*ls.

Reasoning

T** **visory *xpli*itly st*t*s t** vuln*r**ility st*ms *rom * *orm `v*li**tion` m*t*o* t**t l**ks p*rmission ****ks *n* *o*sn't *n*or** POST r*qu*sts. In J*nkins plu*ins, *orm `v*li**tion` m*t*o*s lik* `*o****k*` in `**s*riptor` *l*ss*s *r* *ommon t*