CVE-2020-2235
Description
CSRF in Jenkins Pipeline Maven Integration Plugin allows attackers to connect to attacker-specified JDBC URLs and capture credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in Jenkins Pipeline Maven Integration Plugin allows attackers to connect to attacker-specified JDBC URLs and capture credentials.
Vulnerability
Overview The Pipeline Maven Integration Plugin up to version 3.8.2 contains a cross-site request forgery (CSRF) vulnerability. The plugin fails to require a CSRF token for endpoints that configure JDBC connections, allowing an attacker to forge requests from a victim user.
Exploitation
An attacker can trick a Jenkins user with sufficient permissions into clicking a crafted link or visiting a malicious page. This triggers a request to the plugin's configuration endpoint, causing the victim's browser to submit a new JDBC URL and credential ID chosen by the attacker. The attacker must first obtain a valid credential ID through other means (e.g., another vulnerability or reconnaissance).
Impact
If successful, the attacker can connect Jenkins to an attacker-controlled database server. This could be leveraged to capture credentials stored in Jenkins, as the plugin may transmit them during the connection attempt. The vulnerability has a CVSS score of 8.0, indicating high severity [2].
Mitigation
The vulnerability is fixed in Pipeline Maven Integration Plugin version 3.8.3 [3][4]. Users should update immediately. As a workaround, ensure that only trusted users have access to Jenkins and consider restricting network access to prevent outbound connections to arbitrary JDBC URLs.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:pipeline-mavenMaven | < 3.8.3 | 3.8.3 |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- github.com/advisories/GHSA-c2hg-2jj6-h8vhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2235ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/08/12/4ghsamailing-listx_refsource_MLISTWEB
- jenkins.io/security/advisory/2020-08-12/mitrex_refsource_CONFIRM
- jenkins.io/security/advisory/2020-08-12/ghsaWEB
News mentions
1- Jenkins Security Advisory 2020-08-12Jenkins Security Advisories · Aug 12, 2020