CVE-2020-2116

CWE-352 — Cross-Site Request Forgery (CSRF)5 documents5 sources

Severity

8.8HIGH

EPSS

0.1%

top 77.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Pipeline Github Notify Step Plugin Jenkins Pipeline Github Notify Step

Timeline

PublishedFeb 12

Latest updateMay 24

Description

A cross-site request forgery vulnerability in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:pipeline-githubnotify-step< 1.0.5

▶CVEListV5jenkins_project/jenkins_pipeline_github_notify_step_pluginunspecified — 1.0.4

▶NVDjenkins/pipeline_github_notify_step1.0.4

🔴Vulnerability Details

OSV

CSRF vulnerability in Pipeline GitHub Notify Step Plugin allows capturing credentials↗2022-05-24

▶

GHSA

CSRF vulnerability in Pipeline GitHub Notify Step Plugin allows capturing credentials↗2022-05-24

▶

CVEList

CVE-2020-2116: A cross-site request forgery vulnerability in Jenkins Pipeline GitHub Notify Step Plugin 1↗2020-02-12

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2020-02-12↗2020-02-12

▶