[JENKINS:SECURITY-1815] Request logging could be bypassed in `audit-trail`

Severity Medium

Affected Packages 2

Fixed Packages 2

CVEs 1

audit-trail logs requests whose URL path matches an admin-configured regular expression.

A discrepancy between the behavior of the plugin and the Stapler web framework in parsing URL paths allows attackers to craft URLs that would bypass request logging in audit-trail 3.6 and earlier.
This only applies to Jenkins 2.227 and earlier, LTS 2.204.5 and earlier, as the fix for link:/security/advisory/2020-03-25/#SECURITY-1774[SECURITY-1774] prohibits dispatch of affected requests.

audit-trail 3.7 processes request URL paths the same way as the Stapler web framework.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/audit-trail	<= 3.6
pkg:github/jenkinsci/audit-trail-plugin	<= 3.6

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/audit-trail	= 3.7
pkg:github/jenkinsci/audit-trail-plugin	= 3.7

ID

JENKINS:SECURITY-1815

Severity

medium

Published

2020-10-08T00:00:00
(4 years ago)

Modified

2020-10-08T00:00:00
(4 years ago)

Rights

Jenkins Security Team

Other Advisories

MAVEN:GHSA-RPJ6-2Q8R-98F8

Source	# ID	Name	URL
Plugin repository		audit-trail repository	https://github.com/jenkinsci/audit-trail-plugin

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.plugins/audit-trail	org.jenkins-ci.plugins	audit-trail	<= 3.6
Fixed	pkg:maven/org.jenkins-ci.plugins/audit-trail	org.jenkins-ci.plugins	audit-trail	= 3.7
Affected	pkg:github/jenkinsci/audit-trail-plugin	jenkinsci	audit-trail-plugin	<= 3.6
Fixed	pkg:github/jenkinsci/audit-trail-plugin	jenkinsci	audit-trail-plugin	= 3.7

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date