<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1462084720533760&amp;ev=PageView&amp;noscript=1">
Vulnerability Report

CVE-2020-2280 CSRF In Jenkins Warnings Plugin

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.

Vulnerability Summary

Warnings Plugin 5.0.1 and earlier does not require POST requests for a form validation method intended for testing custom warnings parsers, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to execute arbitrary code. 

Warnings Plugin 5.0.2 requires POST requests for the affected form validation method. 

Watch the video to learn more about this and other important vulnerabilities.

CVSS Score

The CVSS Base Score is 8.8 (High)

Affected Version

Jenkins Warnings Plugin 5.0.1 and prior versions.

Vulnerability Attribution

This vulnerability was a consequence of an incomplete fix for vulnerability in CVE-2019-1003005. It appears to have been found by Jenkins directly. 

Risk Impact

No public exploit code is available, and patch exists. Jenkins is an open source automation server that helps to automate building, testing, and deploying software in the CI/CD pipeline. It is integrated with project management software (JIRA), incident filing tools (Bugzilla), static analysis tools (Veracode), Legal Compliance tools (Black Duck), build tools (Ant, Maven) and version control tools (Subversion, Git). Millions of instances of Jenkins server are in use worldwide. 

Source: https://www.altexsoft.com/blog/engineering/comparison-of-most-popular-continuous-integration-tools-jenkins-teamcity-bamboo-travis-ci-and-more/  

Virsec Security Platform (VSP) Support

VSP-Web capability can detect such a CSRF attack and prevent this attack from being exploited. 

Reference Links

Download the full vulnerability report to learn more about this and other important vulnerabilities.