[MAVEN:GHSA-RPJ6-2Q8R-98F8] Request logging bypass in Jenkins Audit Trail Plugin

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

Audit Trail Plugin logs requests whose URL path matches an admin-configured regular expression.

A discrepancy between the behavior of the plugin and the Stapler web framework in parsing URL paths allows attackers to craft URLs that would bypass request logging in Audit Trail Plugin 3.6 and earlier. This only applies to Jenkins 2.227 and earlier, LTS 2.204.5 and earlier, as the fix for SECURITY-1774 prohibits dispatch of affected requests.

Audit Trail Plugin 3.7 processes request URL paths the same way as the Stapler web framework.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/audit-trail	< 3.7

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/audit-trail	= 3.7

ID

MAVEN:GHSA-RPJ6-2Q8R-98F8

Severity

moderate

URL

https://github.com/advisories/GHSA-rpj6-2q8r-98f8

Published

2022-02-10T20:29:39
(2 years ago)

Modified

2023-12-21T13:51:21
(9 months ago)

Rights

Maven Security Team

Other Advisories

JENKINS:SECURITY-1815

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2020-2287
			https://www.jenkins.io/security/advisory/2020-10-08/#SECURITY-1815
			http://www.openwall.com/lists/oss-security/2020/10/08/5
			https://github.com/jenkinsci/audit-trail-plugin/commit/329c6090c1c444a16e95757e537b0cbb2347a9f4
			https://github.com/advisories/GHSA-rpj6-2q8r-98f8

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.jenkins-ci.plugins/audit-trail	org.jenkins-ci.plugins	audit-trail	< 3.7
Fixed	pkg:maven/org.jenkins-ci.plugins/audit-trail	org.jenkins-ci.plugins	audit-trail	= 3.7

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date