CVE-2020-2288
published 2020-10-08CVE-2020-2288: In Jenkins Audit Trail Plugin 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would…
PriorityP424medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.94%
56.5th percentile
In Jenkins Audit Trail Plugin 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would be ignored during request handling.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | active_choices_plugin | — | — |
| jenkins | audit_trail | <= 3.6 | — |
| jenkins | audit_trail_plugin | — | — |
| jenkins | incorrect_default_pattern_in_audit_trail_plugin | — | — |
| jenkins | maven_cascade_release_plugin | — | — |
| jenkins | nerrvana_plugin | — | — |
| jenkins | persona_plugin | — | — |
| jenkins | release_plugin | — | — |
| jenkins | request_logging_could_be_bypassed_in_audit_trail_plugin | — | — |
| jenkins | role-based_authorization_strategy_plugin | — | — |
| jenkins | shared_objects_plugin | — | — |
| jenkins | sms_notification_plugin | — | — |
| jenkins_project | jenkins_audit_trail_plugin | unspecified – 3.6 | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Jenkins
Jenkins Security Advisory 2020-10-08
vendor_jenkins·2020-10-08·CVSS 8.8
CVE-2020-2286 [HIGH] Jenkins Security Advisory 2020-10-08
Title: Jenkins Security Advisory 2020-10-08
Jenkins Security Advisory 2020-10-08
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Active Choices
Plugin
Audit Trail
Plugin
couchdb-statistics
Plugin
Maven Cascade Release
Plugin
Nerrvana
Plugin
Persona
Plugin
Release
Plugin
Role-based Authoriza
GHSA
Incorrect default pattern in Jenkins Audit Trail Plugin
ghsa·2022-05-24
CVE-2020-2288 [MEDIUM] CWE-185 Incorrect default pattern in Jenkins Audit Trail Plugin
Incorrect default pattern in Jenkins Audit Trail Plugin
Jenkins Audit Trail Plugin uses regular expressions to match requested URLs whose dispatch should be logged.
In Jenkins Audit Trail Plugin 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would be ignored during request handling.
Jenkins Audit Trail Plugin 3.7 changes the default regular expression pattern so that it allows for arbitrary suffixes. It automatically will replace previous default patterns with the new, more complete default pattern.
Additionally, an administrative monitor is shown if a user-specified pattern is found to be bypassable through crafted URLs and form validation was improved to recognize patterns that would not match requests with a
OSV
Incorrect default pattern in Jenkins Audit Trail Plugin
osv·2022-05-24
CVE-2020-2288 [MEDIUM] Incorrect default pattern in Jenkins Audit Trail Plugin
Incorrect default pattern in Jenkins Audit Trail Plugin
Jenkins Audit Trail Plugin uses regular expressions to match requested URLs whose dispatch should be logged.
In Jenkins Audit Trail Plugin 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would be ignored during request handling.
Jenkins Audit Trail Plugin 3.7 changes the default regular expression pattern so that it allows for arbitrary suffixes. It automatically will replace previous default patterns with the new, more complete default pattern.
Additionally, an administrative monitor is shown if a user-specified pattern is found to be bypassable through crafted URLs and form validation was improved to recognize patterns that would not match requests with a
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-10-08
Published