Miggo Logo
Miggo Vulnerability Database
CVE-2020-2311

CVE-2020-2311: Missing permission check in Jenkins AWS Global Configuration Plugin allows replacing plugin configuration

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2311
GHSA ID
GHSA-7v7g-mh53-89hw
EPSS Score
0.2102%
CWE
CWE-862
Published
5/24/2022
Updated
12/14/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.jenkins.plugins:aws-global-configurationmaven<= 1.51.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows the vulnerability was fixed by adding 'Jenkins.get().checkPermission(Jenkins.ADMINISTER)' to the doConfigure method. Prior to this, the method used @RequirePOST (later changed to @POST) but had no authorization check. This matches the CWE-862 (Missing Authorization) description and the advisory's statement about missing permission checks in form submission endpoints.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *WS *lo**l *on*i*ur*tion Plu*in *.* *n* **rli*r *o*s not p*r*orm * p*rmission ****k in *n *TTP *n*point pro**ssin* *orm su*missions. T*is *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to r*pl*** t** *lo**l *WS *on*i*ur*tion. J*nkins *WS *lo

Reasoning

T** *ommit *i** s*ows t** vuln*r**ility w*s *ix** *y ***in* `'J*nkins.**t().****kP*rmission(J*nkins.**MINIST*R)'` to t** `*o*on*i*ur*` m*t*o*. Prior to t*is, t** m*t*o* us** `@R*quir*POST` (l*t*r ***n*** to `@POST`) *ut *** no *ut*oriz*tion ****k. T*