CVE-2020-2280

HIGH8.8EPSS 0.14%

CSRF vulnerability in Jenkins warnings Plugin allows remote code execution

發布日:2022/5/24修改日:2024/2/16

描述

warnings Plugin 5.0.1 and earlier does not require POST requests for a form validation method intended for testing custom warnings parsers, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to execute arbitrary code. warnings Plugin 5.0.2 requires POST requests for the affected form validation method. This vulnerability was caused by an incomplete fix to [SECURITY-1295](https://www.jenkins.io/security/advisory/2019-01-28/).

受影響套件(1)

Maven/org.jvnet.hudson.plugins:warningsfrom 0, < 5.0.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-2280
PATCHhttps://github.com/jenkinsci/warnings-plugin
WEBhttps://www.jenkins.io/security/advisory/2020-09-23/#SECURITY-2042
WEBhttp://www.openwall.com/lists/oss-security/2020/09/23/1