CVE-2020-2160

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.227 and earlier Jenkins LTS versions 2.204.5 and earlier

Description The issue is related to the absence of protection against cross-site request forgery (CSRF) in Jenkins. This allows attackers to craft URLs that bypass CSRF protection for any target URL, potentially enabling them to perform arbitrary actions on a vulnerable device using a specially crafted web page. The discrepancy in URL path representation between the extension point and the Stapler web framework in Jenkins versions 2.227 and earlier, LTS 2.204.5 and earlier, is the root cause of this problem.

Recommendations For Jenkins versions 2.227 and earlier, update to a version that uses the same representation of the URL path to decide whether CSRF protection is needed for a given URL as the Stapler web framework uses. For Jenkins LTS versions 2.204.5 and earlier, update to a version that uses the same representation of the URL path to decide whether CSRF protection is needed for a given URL as the Stapler web framework uses. As a temporary workaround, consider setting the system property hudson.security.csrf.CrumbFilter.UNPROCESSED PATHINFO to true to disable this security fix in case of problems. Additionally, consider setting the system property jenkins.security.SuspiciousRequestFilter.allowSemicolonsInPath to true to disable the protection against semicolon (;) characters in the path part of a URL, if necessary.