Improper Authentication

Affecting org.jenkins-ci.plugins:audit-trail artifact, versions [,3.7)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

org.jenkins-ci.plugins:audit-trail is a Jenkins plugin that keeps a log of who performed particular Jenkins operations, such as configuring jobs.

Affected versions of this package are vulnerable to Improper Authentication. It logs requests whose URL path matches an admin-configured regular expression.A discrepancy between the behavior of the plugin and the Stapler web framework in parsing URL paths allows attackers to craft URLs that would bypass request logging in Audit Trail Plugin 3.6 and earlier. This only applies to Jenkins 2.227 and earlier, LTS 2.204.5 and earlier, as the fix for Audit Trail Plugin 3.7 processes request URL paths the same way as the Stapler web framework.

Remediation

Upgrade org.jenkins-ci.plugins:audit-trail to version 3.7 or higher.

References

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Credit
Daniel Beck, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.
CVE
CVE-2020-2287
CWE
CWE-287
Snyk ID
SNYK-JAVA-ORGJENKINSCIPLUGINS-1016918
Disclosed
09 Oct, 2020
Published
09 Oct, 2020