Miggo Logo

CVE-2020-2286: Improper authorization due to caching in Jenkins Role-based Authorization Strategy Plugin

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.28672%
Published
5/24/2022
Updated
10/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:role-strategymaven>= 2.12, < 3.13.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing cache invalidation after configuration changes. The primary vulnerable function is 'configure' (or equivalent config persistence method), which failed to clear the permission cache when settings were updated. Secondary is 'getGrantedPermissions' (or similar) which served stale data from the cache. These functions are central to the permission lifecycle - configuration updates and permission checks - making them key runtime indicators when profiling exploitation attempts.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Rol*-**s** *ut*oriz*tion Str*t**y Plu*in *.** *n* n*w*r us*s * ***** to sp*** up p*rmission lookups. Rol*-**s** *ut*oriz*tion Str*t**y Plu*in *.* *n* **rli*r t*is ***** is not inv*li**t** prop*rly w**n *n **ministr*tor ***n**s t** p*rmission *on*i*ur

Reasoning

T** vuln*r**ility st*ms *rom missin* ***** inv*li**tion **t*r *on*i*ur*tion ***n**s. T** prim*ry vuln*r**l* *un*tion is '*on*i*ur*' (or *quiv*l*nt `*on*i*` p*rsist*n** m*t*o*), w*i** **il** to *l**r t** p*rmission ***** w**n s*ttin*s w*r* up**t**. S*