CVE-2020-2234

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline Maven Integration Plugin versions 3.8.2 and earlier

Description A missing permission check in the plugin allows users with Overall/Read access to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs, potentially capturing credentials stored in Jenkins. The form validation method is also vulnerable to cross-site request forgery (CSRF) as it does not require POST requests.

Recommendations For Jenkins Pipeline Maven Integration Plugin versions 3.8.2 and earlier, update to version 3.8.3 or later, which requires POST requests and Job/Configure permission for the affected form validation method, mitigating the issue.