CVE-2020-2280 CSRF In Jenkins Warnings Plugin
Virsec Security Research Lab Vulnerability Analysis
The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.
Warnings Plugin 5.0.1 and earlier does not require POST requests for a form validation method intended for testing custom warnings parsers, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to execute arbitrary code.
Warnings Plugin 5.0.2 requires POST requests for the affected form validation method.
Watch the video to learn more about this and other important vulnerabilities.
The CVSS Base Score is 8.8 (High)
Jenkins Warnings Plugin 5.0.1 and prior versions.
This vulnerability was a consequence of an incomplete fix for vulnerability in CVE-2019-1003005. It appears to have been found by Jenkins directly.
No public exploit code is available, and patch exists. Jenkins is an open source automation server that helps to automate building, testing, and deploying software in the CI/CD pipeline. It is integrated with project management software (JIRA), incident filing tools (Bugzilla), static analysis tools (Veracode), Legal Compliance tools (Black Duck), build tools (Ant, Maven) and version control tools (Subversion, Git). Millions of instances of Jenkins server are in use worldwide.
Virsec Security Platform (VSP) Support
VSP-Web capability can detect such a CSRF attack and prevent this attack from being exploited.
Download the full vulnerability report to learn more about this and other important vulnerabilities.