ID CVE-2020-2287
Summary Jenkins Audit Trail Plugin 3.6 and earlier applies pattern matching to a different representation of request URL paths than the Stapler web framework uses for dispatching requests, which allows attackers to craft URLs that bypass request logging of any target URL.
References
Vulnerable Configurations
  • cpe:2.3:a:jenkins:audit_trail:1.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:1.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:1.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:1.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:1.2:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:1.2:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:1.3:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:1.3:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:1.4:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:1.4:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:1.5:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:1.5:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:1.6:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:1.6:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:1.7:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:1.7:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:1.8:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:1.8:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:2.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:2.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:2.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:2.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:2.2:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:2.2:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:2.3:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:2.3:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:2.4:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:2.4:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:2.5:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:2.5:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:2.6:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:2.6:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:3.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:3.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:3.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:3.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:3.2:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:3.2:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:3.3:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:3.3:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:3.4:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:3.4:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:3.5:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:3.5:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:audit_trail:3.6:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:audit_trail:3.6:*:*:*:*:jenkins:*:*
CVSS
Base: 5.0 (as of 16-10-2020 - 16:25)
Impact:
Exploitability:
CWE CWE-435
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:P/A:N
refmap via4
confirm https://www.jenkins.io/security/advisory/2020-10-08/#SECURITY-1815
mlist [oss-security] 20201008 Multiple vulnerabilities in Jenkins plugins
Last major update 16-10-2020 - 16:25
Published 08-10-2020 - 13:15
Last modified 16-10-2020 - 16:25
Back to Top