CVE-2020-2184
Description
A cross-site request forgery vulnerability in Jenkins CVS Plugin 2.15 and earlier allows attackers to create and manipulate tags, and to connect to an attacker-specified URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in Jenkins CVS Plugin 2.15 and earlier lets attackers create/manipulate tags and connect to attacker-specified URLs.
Vulnerability
Overview
A cross-site request forgery (CSRF) vulnerability exists in the Jenkins CVS Plugin, affecting versions 2.15 and earlier. The plugin does not perform adequate CSRF protection when processing requests to create or manipulate CVS tags, nor does it validate URLs used for connections.[1][2]
Exploitation
Details
An attacker can craft a malicious web page that, when visited by an authenticated Jenkins user (with the necessary permissions), triggers unauthorized actions on the Jenkins server. The attack requires the victim to have an active Jenkins session and to interact with the attacker-controlled page. No additional authentication or network access beyond typical web browsing is needed.[1][4]
Impact
Successful exploitation allows the attacker to create and manipulate CVS tags on the Jenkins server, potentially disrupting build processes or version control workflows. Additionally, the attacker can force the Jenkins instance to connect to an attacker-specified URL, which could be used for further reconnaissance, data exfiltration, or as a pivot for other attacks.[1][2]
Mitigation
The vulnerability has been addressed in CVS Plugin version 2.16, released as part of the Jenkins Security Advisory on 2020-05-06. Users should update to version 2.16 or later. No workarounds are identified; however, ensuring Jenkins is not exposed to untrusted networks and employing general CSRF protections may reduce risk.[1][4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:cvsMaven | < 2.16 | 2.16 |
Affected products
3- Range: <=2.15
- Range: unspecified
Patches
18954b3a1e498[SECURITY-1094]
6 files changed · +9 −3
src/main/java/hudson/scm/browsers/FishEyeCVS.java+2 −0 modified@@ -35,6 +35,7 @@ import jenkins.model.Jenkins; import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.QueryParameter; +import org.kohsuke.stapler.interceptor.RequirePOST; import javax.servlet.ServletException; import java.io.IOException; @@ -84,6 +85,7 @@ public String getDisplayName() { return "FishEye"; } + @RequirePOST public FormValidation doCheckUrl(@QueryParameter String value) throws IOException, ServletException { value = Util.fixEmpty(value); if (value == null) return FormValidation.ok();
src/main/java/hudson/scm/cvstagging/CvsTagAction.java+2 −0 modified@@ -38,6 +38,7 @@ import org.kohsuke.stapler.StaplerResponse; import org.kohsuke.stapler.export.Exported; import org.kohsuke.stapler.export.ExportedBean; +import org.kohsuke.stapler.interceptor.RequirePOST; import javax.servlet.ServletException; import java.io.IOException; @@ -106,6 +107,7 @@ public AbstractCvs getParent() { return parentScm; } + @RequirePOST public synchronized void doSubmit(final StaplerRequest request, final StaplerResponse response) throws IOException, ServletException { // check the user is allowed to tag
src/main/java/hudson/scm/cvstagging/LegacyTagAction.java+2 −0 modified@@ -36,6 +36,7 @@ import org.kohsuke.stapler.StaplerRequest; import org.kohsuke.stapler.StaplerResponse; import org.kohsuke.stapler.export.Exported; +import org.kohsuke.stapler.interceptor.RequirePOST; import org.netbeans.lib.cvsclient.Client; import org.netbeans.lib.cvsclient.command.GlobalOptions; import org.netbeans.lib.cvsclient.command.tag.TagCommand; @@ -137,6 +138,7 @@ public boolean isTagged() { /** * Invoked to actually tag the workspace. */ + @RequirePOST @SuppressWarnings("unchecked") public synchronized void doSubmit(final StaplerRequest req, final StaplerResponse rsp) throws IOException,
src/main/resources/hudson/scm/browsers/FishEyeCVS/config.jelly+1 −1 modified@@ -25,6 +25,6 @@ THE SOFTWARE. <?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form"> <f:entry title="URL" field="url"> - <f:textbox /> + <f:textbox checkMethod="post"/> </f:entry> </j:jelly>
src/main/resources/hudson/scm/cvstagging/CvsTagAction/tagForm.jelly+1 −1 modified@@ -32,7 +32,7 @@ THE SOFTWARE. <d:taglib uri="local"> <d:tag name="tagForm"> - <form action="submit" method="get"> + <form action="submit" method="post"> <j:set var="descriptor" value="${it.descriptor}" /> <table>
src/main/resources/hudson/scm/cvstagging/LegacyTagAction/tagForm.jelly+1 −1 modified@@ -32,7 +32,7 @@ THE SOFTWARE. <d:taglib uri="local"> <d:tag name="tagForm"> - <form action="submit" method="get"> + <form action="submit" method="post"> <j:set var="descriptor" value="${it.descriptor}" /> <table>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-63mw-hp3h-gc77ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2184ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/05/06/3ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/cvs-plugin/commit/8954b3a1e498f11c09296d4f54dc2de6a371c448ghsaWEB
- jenkins.io/security/advisory/2020-05-06/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-05-06Jenkins Security Advisories · May 6, 2020