CVE-2020-2184
published 2020-05-06CVE-2020-2184: A cross-site request forgery vulnerability in Jenkins CVS Plugin 2.15 and earlier allows attackers to create and manipulate tags, and to connect to an…
PriorityP432medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
44.46%
98.6th percentile
A cross-site request forgery vulnerability in Jenkins CVS Plugin 2.15 and earlier allows attackers to create and manipulate tags, and to connect to an attacker-specified URL.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | amazon_ec2_plugin | — | — |
| jenkins | copy_artifact_plugin | — | — |
| jenkins | credentials_binding_plugin | — | — |
| jenkins | current_versions_systems | <= 2.15 | — |
| jenkins | cvs_plugin | — | — |
| jenkins | for_more_information_see_the_plugin | — | — |
| jenkins | ids_in_amazon_ec2_plugin | — | — |
| jenkins | ids_to_allow_users_configuring_the_plugin | — | — |
| jenkins | scm_filter_jervis_plugin | — | — |
| jenkins | when_updating_the_plugin | — | — |
| jenkins_project | jenkins_cvs_plugin | unspecified – 2.15 | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
CSRF vulnerability in Jenkins CVS Plugin
ghsa·2022-05-24
CVE-2020-2184 [MEDIUM] CWE-352 CSRF vulnerability in Jenkins CVS Plugin
CSRF vulnerability in Jenkins CVS Plugin
CVS Plugin 2.15 and earlier does not require POST requests in several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities. This allows attackers to create and manipulate tags, and to connect to an attacker-specified URL.
CVS Plugin 2.16 now requires POST requests for the affected HTTP endpoints.
OSV
CSRF vulnerability in Jenkins CVS Plugin
osv·2022-05-24
CVE-2020-2184 [MEDIUM] CSRF vulnerability in Jenkins CVS Plugin
CSRF vulnerability in Jenkins CVS Plugin
CVS Plugin 2.15 and earlier does not require POST requests in several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities. This allows attackers to create and manipulate tags, and to connect to an attacker-specified URL.
CVS Plugin 2.16 now requires POST requests for the affected HTTP endpoints.
Jenkins
Jenkins Security Advisory 2020-05-06
vendor_jenkins·2020-05-06·CVSS 6.5
CVE-2020-2181 [MEDIUM] Jenkins Security Advisory 2020-05-06
Title: Jenkins Security Advisory 2020-05-06
Jenkins Security Advisory 2020-05-06
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Amazon EC2
Plugin
Copy Artifact
Plugin
Credentials Binding
Plugin
CVS
Plugin
SCM Filter Jervis
Plugin
Descriptions
Secrets are not masked by Credentials Binding Plugin in
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-05-06
Published