CVE-2020-2321
Description
A CSRF vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project without proper authorization.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in Jenkins Shelve Project Plugin 3.0 and earlier allows attackers to shelve, unshelve, or delete a project without proper authorization.
Overview
A cross-site request forgery (CSRF) vulnerability exists in Jenkins Shelve Project Plugin versions 3.0 and earlier. The plugin does not require a specific token or confirmation for actions such as shelving, unshelving, or deleting a project, allowing attackers to perform these actions on behalf of an authenticated user [2].
Exploitation
To exploit this vulnerability, an attacker must trick a Jenkins user with appropriate permissions (DELETE for shelving, ADMINISTER for unshelving) into executing a crafted request. This is typically achieved via social engineering, such as luring the victim to click a malicious link or visit a compromised website while they are authenticated to Jenkins [2].
Impact
Successful exploitation enables an attacker to shelve (move to archive), unshelve (restore), or permanently delete a project. This could lead to project data loss, disruption of CI/CD pipelines, or unauthorized restoration of shelved projects [2].
Mitigation
The vulnerability is fixed in Shelve Project Plugin version 3.1, released on December 3, 2020 [4]. Users should upgrade to this version or later. No workaround is available other than preventing users from accessing Jenkins during the upgrade process [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:shelve-project-pluginMaven | < 3.1 | 3.1 |
Affected products
2- Range: unspecified
Patches
15cb9a4733e9c[SECURITY-2108]
2 files changed · +4 −0
src/main/java/org/jvnet/hudson/plugins/shelveproject/ShelvedProjectsAction.java+2 −0 modified@@ -11,6 +11,7 @@ import org.kohsuke.stapler.StaplerResponse; import org.kohsuke.stapler.export.Exported; import org.kohsuke.stapler.export.ExportedBean; +import org.kohsuke.stapler.verb.POST; import javax.servlet.ServletException; import java.io.File; @@ -114,6 +115,7 @@ private ShelvedProject getLegacyShelvedProjectFromArchive(File archive) { } @SuppressWarnings({"UnusedDeclaration"}) + @POST public HttpResponse doManageShelvedProject(StaplerRequest request, StaplerResponse response) throws IOException, ServletException {
src/main/java/org/jvnet/hudson/plugins/shelveproject/ShelveProjectAction.java+2 −0 modified@@ -6,6 +6,7 @@ import jenkins.model.Jenkins; import org.kohsuke.stapler.HttpRedirect; import org.kohsuke.stapler.HttpResponse; +import org.kohsuke.stapler.verb.POST; import javax.servlet.ServletException; import java.io.IOException; @@ -50,6 +51,7 @@ public boolean isShelvingProject() { } @SuppressWarnings({"UnusedDeclaration"}) + @POST public HttpResponse doShelveProject() throws IOException, ServletException { Jenkins.getInstance().checkPermission(Item.DELETE);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-9f37-ggxm-h6wxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2321ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/12/03/2ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/shelve-project-plugin/commit/5cb9a4733e9cf37d2e7932928698537b1a9fdaecghsaWEB
- www.jenkins.io/security/advisory/2020-12-03/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-12-03Jenkins Security Advisories · Dec 3, 2020