CVE-2020-2160

Published: Mar 25, 2020Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier uses different representations of request URL paths, which allows attackers to craft URLs that allow bypassing CSRF protection of any target URL.

Affected (2)

Products: Jenkins: Jenkins

Jenkins

1 product

Jenkins

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Jenkins Jenkins	Up to 2.227
Jenkins Jenkins	Up to 2.204.5

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (4)

http://www.openwall.com/lists/oss-security/2020/03/25/2

Source: jenkinsci-cert@googlegroups.com

Mailing ListThird Party Advisory

https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1774

Source: jenkinsci-cert@googlegroups.com

Vendor Advisory

http://www.openwall.com/lists/oss-security/2020/03/25/2

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1774

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.