CVE-2020-2287

Description

Audit Trail Plugin logs requests whose URL path matches an admin-configured regular expression. A discrepancy between the behavior of the plugin and the Stapler web framework in parsing URL paths allows attackers to craft URLs that would bypass request logging in Audit Trail Plugin 3.6 and earlier. This only applies to Jenkins 2.227 and earlier, LTS 2.204.5 and earlier, as the fix for [SECURITY-1774](https://www.jenkins.io/security/advisory/2020-03-25/#SECURITY-1774) prohibits dispatch of affected requests. Audit Trail Plugin 3.7 processes request URL paths the same way as the Stapler web framework.

How to fix CVE-2020-2287

To remediate CVE-2020-2287, upgrade the affected package to a fixed version below.

• —upgrade to 3.7 or later

Is CVE-2020-2287 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 3.7

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2287
• PATCHgithub.com/jenkinsci/audit-trail-plugin
• WEBgithub.com/jenkinsci/audit-trail-plugin/commit/329c6090c1c444a16e95757e537b0cbb2347a9f4
• WEBwww.jenkins.io/security/advisory/2020-10-08/#SECURITY-1815