CVE-2020-2280: CSRF in Jenkins Warnings Plugin

Virsec Security Research Lab Vulnerability Report

The Virsec Security Research Lab, helmed by Virsec CTO, Satya Gupta, provides timely, relevant analysis about prevalent security vulnerabilities.

1.1        Vulnerability Summary

Warnings Plugin 5.0.1 and earlier does not require POST requests for a form validation method intended for testing custom warnings parsers, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to execute arbitrary code. 

Warnings Plugin 5.0.2 requires POST requests for the affected form validation method. 

Watch the video to learn more about this and other important vulnerabilities.

1.2        CVSS Score

The CVSS Base Score is 8.8 (High)

1.3        Affected Version

Jenkins Warnings Plugin 5.0.1 and prior versions.

1.4        Vulnerability Attribution

This vulnerability was a consequence of an incomplete fix for vulnerability in CVE-2019-1003005. It appears to have been found by Jenkins directly. 

1.5        Risk Impact

No public exploit code is available, and patch exists. Jenkins is an open source automation server that helps to automate building, testing, and deploying software in the CI/CD pipeline. It is integrated with project management software (JIRA), incident filing tools (Bugzilla), static analysis tools (Veracode), Legal Compliance tools (Black Duck), build tools (Ant, Maven) and version control tools (Subversion, Git). Millions of instances of Jenkins server are in use worldwide. 


1.6        Virsec Security Platform (VSP) Support:

VSP-Web capability can detect such a CSRF attack and prevent this attack from being exploited. 

1.7        Reference Links:

Download the full vulnerability report to learn more about this and other important vulnerabilities.

The post CVE-2020-2280: CSRF in Jenkins Warnings Plugin appeared first on Virsec Systems.

*** This is a Security Bloggers Network syndicated blog from Blog – Virsec Systems authored by Satya Gupta. Read the original post at: