Miggo Logo
Miggo Vulnerability Database
CVE-2020-2323

CVE-2020-2323: Missing permission checks in Jenkins Chaos Monkey Plugin

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2323
GHSA ID
GHSA-hx53-635r-vmv8
EPSS Score
0.43069%
CWE
CWE-862
Published
5/24/2022
Updated
10/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.jenkins.plugins:chaos-monkeymaven<= 0.40.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing permission checks in HTTP endpoints related to the Chaos Monkey interface. In Jenkins plugin architecture, these endpoints are typically implemented as methods in action classes (like ChaosMonkeyAction) annotated with @WebMethod or mapped via routes. The advisory specifically mentions two capabilities granted to attackers: 1) accessing the Chaos Monkey page, and 2) viewing action history. These correspond to the index page handler doIndex() and history retrieval method getHistory(). The absence of checkPermission() calls or @RequireAdminister annotations in these methods would allow Overall/Read users to access admin-level functionality. The confidence is high as this pattern matches Jenkins' security model and the vulnerability description explicitly identifies these two exposed functionalities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins ***os Monk*y Plu*in *.* *n* **rli*r *o*s not p*r*orm p*rmission ****ks in *n *TTP *n*point. T*is *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to ****ss t** ***os Monk*y p*** *n* to s** t** *istory o* **tions. J*nkins ***os Monk*y Plu*in *.

Reasoning

T** vuln*r**ility st*ms *rom missin* p*rmission ****ks in *TTP *n*points r*l*t** to t** ***os Monk*y int*r****. In J*nkins plu*in *r**it**tur*, t**s* *n*points *r* typi**lly impl*m*nt** *s m*t*o*s in **tion *l*ss*s (lik* ***osMonk*y**tion) *nnot*t**