Miggo Logo

CVE-2020-2321: CSRF vulnerability in Jenkins Shelve Project Plugin

8.1

CVSS Score
3.1

Basic Information

EPSS Score
0.36194%
Published
5/24/2022
Updated
12/7/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:shelve-project-pluginmaven<= 3.03.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing HTTP method restrictions on critical endpoints. The commit 5cb9a47 explicitly adds @POST annotations to these two methods, which matches the advisory's description of 'requiring POST requests for affected endpoints' as the fix. Both methods handle destructive operations (shelve/unshelve/delete) and were vulnerable to CSRF when accepting any HTTP method.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins S**lv* Proj**t Plu*in *.* *n* **rli*r *o*s not r*quir* POST r*qu*sts *or *TTP *n*points, r*sultin* in *ross-sit* r*qu*st *or**ry (*SR*) vuln*r**iliti*s. T**s* vuln*r**iliti*s *llow *tt**k*rs to s**lv*, uns**lv*, or **l*t* * proj**t. J*nkins

Reasoning

T** vuln*r**ility st*ms *rom missin* *TTP m*t*o* r*stri*tions on *riti**l *n*points. T** *ommit ******* *xpli*itly ***s @POST *nnot*tions to t**s* two m*t*o*s, w*i** m*t***s t** **visory's **s*ription o* 'r*quirin* POST r*qu*sts *or *****t** *n*point