CVE-2020-2273

Vulnerability

Overview Cross-site request forgery (CSRF) vulnerability in Jenkins ElasTest Plugin 1.2.1 and earlier allows an attacker to perform unauthorized actions by tricking a Jenkins user into visiting a crafted web page or link. The specific issue is that the plugin does not validate that HTTP requests originate from the Jenkins application itself, enabling a remote attacker to forge requests that the plugin will then execute [1][2].

Exploitation

Details To exploit this vulnerability, an attacker must convince a user with appropriate permissions to click on a malicious link or visit a specially crafted web page while they are authenticated to Jenkins. The attack does not require the attacker to be authenticated, nor does it require direct network access to the Jenkins controller. The attacker can specify a URL and credentials, meaning the plugin can be tricked into connecting to an attacker-controlled server using any credentials the attacker provides [1].

Impact

If successfully exploited, the attacker can cause the Jenkins ElasTest Plugin to connect to an attacker-specified URL using attacker-specified credentials. This could be leveraged to exfiltrate data, conduct network reconnaissance, or interact with internal systems from the Jenkins server's network perspective. The vulnerability has a CVSS score that indicates a medium severity, as the plugin must be installed and configured with valid credentials to be exploitable [3].

Mitigation

The vulnerability exists in ElasTest Plugin version 1.2.1 and earlier. As of the advisory publication date (September 16, 2020), no official fix has been released. The plugin is listed among Jenkins plugins with unresolved security issues [2]. Users are advised to disable or uninstall the plugin until a patched version is made available. No workaround is mentioned in the official advisory.