PT-2020-15517 · Jenkins · Stapler+2
Daniel Beck
+1
·
Published
2020-10-08
·
Updated
2023-10-25
·
CVE-2020-2287
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Audit Trail Plugin versions 3.6 and earlier
Description
The issue arises from a discrepancy in how the Audit Trail Plugin and the Stapler web framework parse URL paths, allowing attackers to craft URLs that bypass request logging. This affects Jenkins versions 2.227 and earlier, as well as LTS 2.204.5 and earlier, due to the difference in URL path representation used by the plugin and the Stapler framework.
Recommendations
For Jenkins Audit Trail Plugin versions 3.6 and earlier, update to version 3.7 or later to resolve the issue, as it processes request URL paths the same way as the Stapler web framework.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Audit Trail Plugin
Stapler