Miggo Logo
Miggo Vulnerability Database
CVE-2020-2275

CVE-2020-2275: Arbitrary file read vulnerability in Copy data to workspace Jenkins Plugin

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2275
GHSA ID
GHSA-2f4c-8rp6-fh6q
EPSS Score
0.8035%
CWE
CWE-22
Published
5/24/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jvnet.hudson.plugins:copy-data-to-workspace-pluginmaven<= 1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the plugin's failure to restrict source directories during file copy operations. The primary function handling this logic would be the method responsible for executing the copy operation (commonly named 'perform' in Jenkins builders). Since the plugin allows attackers to specify arbitrary paths without validation, this function would directly process the user-controlled input and copy files from unrestricted locations. The CWE-22 classification and the advisory's description of unrestricted directory access strongly indicate that the file-copying function lacks proper path sanitization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *opy **t* to worksp*** Plu*in *.* *n* **rli*r *o*s not limit w*i** *ir**tori*s **n ** *opi** *rom t** J*nkins *ontroll*r to jo* worksp***s, *llowin* *tt**k*rs wit* Jo*/*on*i*ur* p*rmission to r*** *r*itr*ry *il*s on t** J*nkins *ontroll*r.

Reasoning

T** vuln*r**ility st*ms *rom t** plu*in's **ilur* to r*stri*t sour** *ir**tori*s *urin* *il* *opy op*r*tions. T** prim*ry `*un*tion` **n*lin* t*is lo*i* woul* ** t** `m*t*o*` r*sponsi*l* *or *x**utin* t** *opy op*r*tion (*ommonly n*m** 'p*r*orm' in J