High severityNVD Advisory· Published Sep 1, 2020· Updated Aug 4, 2024
CVE-2020-2240
CVE-2020-2240
Description
A cross-site request forgery (CSRF) vulnerability in Jenkins database Plugin 1.6 and earlier allows attackers to execute arbitrary SQL scripts.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:databaseMaven | < 1.7 | 1.7 |
Affected products
1- Range: unspecified
Patches
13 files changed · +0 −165
src/main/java/org/jenkinsci/plugins/database/DatabaseConsole.java+0 −63 removed@@ -1,63 +0,0 @@ -package org.jenkinsci.plugins.database; - -import hudson.Extension; -import hudson.model.AbstractProject; -import hudson.model.Action; -import hudson.model.TopLevelItem; -import hudson.model.TransientProjectActionFactory; -import java.sql.Connection; -import java.sql.SQLException; -import java.sql.Statement; -import java.util.Collection; -import java.util.Collections; -import jenkins.model.Jenkins; -import org.kohsuke.stapler.HttpResponse; -import org.kohsuke.stapler.HttpResponses; -import org.kohsuke.stapler.QueryParameter; - -public class DatabaseConsole implements Action { - - private final TopLevelItem p; - - private DatabaseConsole(TopLevelItem p) { - this.p = p; - } - - @Override public String getUrlName() { - return enabled() ? "database-console" : null; - } - - @Override public String getDisplayName() { - return "Database Console"; - } - - @Override public String getIconFileName() { - return enabled() ? "terminal.png" : null; - } - - private boolean enabled() { - return Jenkins.get().hasPermission(Jenkins.ADMINISTER) && PerItemDatabaseConfiguration.findOrNull() != null; - } - - public HttpResponse doExecute(@QueryParameter String sql) throws SQLException { - Jenkins.get().checkPermission(Jenkins.ADMINISTER); - PerItemDatabase db = PerItemDatabaseConfiguration.find(); - - try(Connection con = db.getDataSource(p).getConnection(); Statement s = con.createStatement()) { - if (s.execute(sql)) { - return HttpResponses.forwardToView(this,"index").with("r",s.getResultSet()); - } else { - return HttpResponses.forwardToView(this,"index").with("message","OK"); - } - } - } - - @Extension public static class Factory extends TransientProjectActionFactory { - - @Override public Collection<? extends Action> createFor(AbstractProject p) { - return p instanceof TopLevelItem ? Collections.singleton(new DatabaseConsole((TopLevelItem) p)) : Collections.<Action>emptySet(); - } - - } - -}
src/test/java/org/jenkinsci/plugins/database/RootDatabaseConsole.java+0 −47 removed@@ -1,47 +0,0 @@ -package org.jenkinsci.plugins.database; - -import hudson.Extension; -import hudson.model.RootAction; -import org.kohsuke.stapler.HttpResponse; -import org.kohsuke.stapler.HttpResponses; -import org.kohsuke.stapler.QueryParameter; - -import javax.inject.Inject; -import java.sql.Connection; -import java.sql.SQLException; -import java.sql.Statement; - -/** - * @author Kohsuke Kawaguchi - */ -@Extension -public class RootDatabaseConsole implements RootAction { - @Inject - Sample sample; - - public String getDisplayName() { - return "Database Console"; - } - - public String getIconFileName() { - return "terminal.png"; - } - - public String getUrlName() { - return "database-console"; - } - - public HttpResponse doExecute(@QueryParameter String sql) throws SQLException { - Database db = sample.getDatabase(); - if (db==null) - throw new IllegalArgumentException("Database isn't configured yet"); - - Connection con = db.getDataSource().getConnection(); - Statement s = con.createStatement(); - if (s.execute(sql)) { - return HttpResponses.forwardToView(this,"index").with("r",s.getResultSet()); - } else { - return HttpResponses.forwardToView(this,"index").with("message","OK"); - } - } -}
src/test/resources/org/jenkinsci/plugins/database/RootDatabaseConsole/index.groovy+0 −55 removed@@ -1,55 +0,0 @@ -package org.jenkinsci.plugins.database.RootDatabaseConsole - -import java.sql.ResultSet; - -def f = namespace(lib.FormTagLib) -def l = namespace(lib.LayoutTagLib) - -l.layout{ - l.main_panel { - form(method:"post",action:"execute") { - raw(""" -<p> - Go to <a href="../configure">the system config page</a> and configure - a valid database connection. Also try installing some database driver plugins, - such as <tt>database-h2</tt>. -</p><p> - Then come back to this console and execute arbitrary SQL against the configured database. -</p> -<h2>SQL</h2> -<textarea name=sql style='width:100%; height:5em'></textarea> - """) - div { - f.submit(value:"Execute") - } - } - - if (request.getAttribute("message")!=null) { - p(message) - } - - if (request.getAttribute("r")!=null) { - // renders the result - h2("Result") - table { - ResultSet rs = r; - int count = rs.metaData.columnCount; - - tr { - for (int i=1; i<=count; i++) { - th { rs.metaData.getColumnLabel(i) } - } - } - - while (rs.next()) { - tr { - for (int i=1; i<=count; i++) { - td(rs.getString(i)) - } - } - } - } - } - } -} -
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-jf9j-hx2j-m9xhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2240ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/09/01/3ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/database-plugin/commit/a68258cf17ba8d5264010cc760770a62a3cc6c2dghsaWEB
- jenkins.io/security/advisory/2020-09-01/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.