CVE-2020-2160: 
Java vulnerability analysis and mitigation

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier contained a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2020-2160. The vulnerability was discovered by Nick Collisson from Gemini Trust Company, LLC. and was publicly disclosed on March 25, 2020. The vulnerability affected the core Jenkins server and allowed attackers to bypass CSRF protection for any target URL (Jenkins Advisory, NVD).

The vulnerability stems from an extension point in Jenkins that allows selective disabling of CSRF protection for specific URLs. The issue arose because implementations of this extension point received a different representation of the URL path than the Stapler web framework uses to dispatch requests. This discrepancy in path representation allowed attackers to craft URLs that could bypass the CSRF protection of any target URL. The vulnerability has a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Jenkins Advisory, NVD).

The vulnerability could allow attackers to bypass CSRF protection mechanisms for any target URL within Jenkins. This could potentially lead to unauthorized actions being performed on behalf of authenticated users, compromising the security of the Jenkins installation (Jenkins Advisory).

The vulnerability was fixed in Jenkins weekly version 2.228 and LTS versions 2.204.6 and 2.222.1. The fix ensures Jenkins uses the same representation of the URL path to decide whether CSRF protection is needed as the Stapler web framework uses. As an additional safeguard, semicolon characters in the path part of a URL are now banned by default. Administrators can disable this security fix by setting the system property hudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO to true, or disable the semicolon protection using jenkins.security.SuspiciousRequestFilter.allowSemicolonsInPath (Jenkins Advisory).