CVE-2020-2280 — CSRF vulnerability in Jenkins warnings Plugin allows remote code execution

Description

warnings Plugin 5.0.1 and earlier does not require POST requests for a form validation method intended for testing custom warnings parsers, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to execute arbitrary code. warnings Plugin 5.0.2 requires POST requests for the affected form validation method. This vulnerability was caused by an incomplete fix to [SECURITY-1295](https://www.jenkins.io/security/advisory/2019-01-28/).

How to fix CVE-2020-2280

To remediate CVE-2020-2280, upgrade the affected package to a fixed version below.

—upgrade to 5.0.2 or later

Is CVE-2020-2280 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 5.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2280
PATCHgithub.com/jenkinsci/warnings-plugin
WEBwww.jenkins.io/security/advisory/2020-09-23/#SECURITY-2042
WEBwww.openwall.com/lists/oss-security/2020/09/23/1