CVE-2020-2280 – org.jvnet.hudson.plugins:warnings

Package

Manager: maven
Name: org.jvnet.hudson.plugins:warnings
Vulnerable Version: >=0 <5.0.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00145 pctl0.35406

Details

CSRF vulnerability in Jenkins warnings Plugin allows remote code execution warnings Plugin 5.0.1 and earlier does not require POST requests for a form validation method intended for testing custom warnings parsers, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to execute arbitrary code. warnings Plugin 5.0.2 requires POST requests for the affected form validation method. This vulnerability was caused by an incomplete fix to [SECURITY-1295](https://www.jenkins.io/security/advisory/2019-01-28/).

Metadata

Created: 2022-05-24T17:29:16Z
Modified: 2023-10-27T11:29:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q564-vvx8-9388/GHSA-q564-vvx8-9388.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-q564-vvx8-9388
Finding: F007
Auto approve: 1