Moderate severityNVD Advisory· Published Sep 1, 2020· Updated Aug 4, 2024
CVE-2020-2242
CVE-2020-2242
Description
A missing permission check in Jenkins database Plugin 1.6 and earlier allows attackers with Overall/Read access to Jenkins to connect to an attacker-specified database server using attacker-specified credentials.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:databaseMaven | < 1.7 | 1.7 |
Affected products
1- Range: unspecified
Patches
12 files changed · +16 −5
src/main/java/org/jenkinsci/plugins/database/AbstractRemoteDatabaseDescriptor.java+7 −3 modified@@ -3,12 +3,14 @@ import hudson.util.FormValidation; import hudson.util.Secret; import java.sql.Statement; +import jenkins.model.Jenkins; import org.kohsuke.stapler.QueryParameter; import javax.sql.DataSource; import java.lang.reflect.InvocationTargetException; import java.sql.Connection; import java.sql.SQLException; +import org.kohsuke.stapler.verb.POST; /** * @author Kohsuke Kawaguchi @@ -21,15 +23,17 @@ protected AbstractRemoteDatabaseDescriptor(Class<? extends Database> clazz) { super(clazz); } + @POST public FormValidation doValidate( @QueryParameter String hostname, @QueryParameter String database, @QueryParameter String username, - @QueryParameter String password, + @QueryParameter Secret password, @QueryParameter String properties) throws NoSuchMethodException, InvocationTargetException, IllegalAccessException, InstantiationException { - + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + try { - Database db = clazz.getConstructor(String.class,String.class,String.class,Secret.class,String.class).newInstance(hostname, database, username, Secret.fromString(password), properties); + Database db = clazz.getConstructor(String.class,String.class,String.class,Secret.class,String.class).newInstance(hostname, database, username, password, properties); DataSource ds = db.getDataSource(); try (Connection con = ds.getConnection(); Statement statement = con.createStatement()) { statement.execute("SELECT 1");
src/main/java/org/jenkinsci/plugins/database/GenericDatabase.java+9 −2 modified@@ -12,6 +12,7 @@ import javax.sql.DataSource; import java.io.File; import java.sql.SQLException; +import org.kohsuke.stapler.verb.POST; /** * {@link Database} implementation that allows the user to specify arbitrary JDBC connection string. @@ -82,7 +83,10 @@ private synchronized ClassLoader getClassLoader() { return loader; } + @POST public FormValidation doCheckDriver(@QueryParameter String value) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + if (value.length()==0) return FormValidation.ok(); // no value typed yet. @@ -94,12 +98,15 @@ public FormValidation doCheckDriver(@QueryParameter String value) { } } + @POST public FormValidation doValidate(@QueryParameter String driver, @QueryParameter String url, @QueryParameter String username, - @QueryParameter String password) { + @QueryParameter Secret password) { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); + try { - new GenericDatabase(url,driver,username,Secret.fromString(password)).getDataSource(); + new GenericDatabase(url,driver,username, password).getDataSource(); // XXX what about the "SELECT 1" trick from AbstractRemoteDatabaseDescriptor? return FormValidation.ok("OK"); } catch (SQLException e) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-hj36-v72x-cc6jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2242ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/09/01/3ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/database-plugin/commit/7a438d96897af0034cb2e06db0819ca4595c24cbghsaWEB
- jenkins.io/security/advisory/2020-09-01/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.