Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2020-2197

UNKNOWN
Published 2020-06-03T12:40:26
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2020-2197. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Jenkins Project Inheritance Plugin 19.08.02 and earlier does not require users to have Job/ExtendedRead permission to access Inheritance Project job configurations in XML format.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Jenkins project

Jenkins Project Inheritance Plugin

Affected Versions:

unspecified next of 19.08.02

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

Missing permission check in Jenkins Project Inheritance Plugin

GHSA-hj32-9mcw-5cwh

Advisory Details

Jenkins limits access to job configuration XML data (`config.xml`) to users with Job/ExtendedRead permission, typically implied by Job/Configure permission. Project Inheritance Plugin has several job inspection features, including the API URL `/job/…​/getConfigAsXML` for its Inheritance Project job type that does something similar. Project Inheritance Plugin 21.04.03 and earlier does not check permissions for this new endpoint, granting access to job configuration XML data to every user with Job/Read permission. Additionally, the encrypted values of secrets stored in the job configuration are not redacted, as they would be by the `config.xml` API for users without Job/Configure permission.

Affected Packages

Maven hudson.plugins:project-inheritance
ECOSYSTEM: ≥0 ≤21.04.03

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2020-2197
WEB https://github.com/github/advisory-database/pull/1356
WEB https://jenkins.io/security/advisory/2020-06-03/#SECURITY-1582
WEB http://www.openwall.com/lists/oss-security/2020/06/03/3

Advisory provided by GitHub Security Advisory Database. Published: May 24, 2022, Modified: October 26, 2023

References

https://jenkins.io/security/advisory/2020-06-03/#SECURITY-1582
http://www.openwall.com/lists/oss-security/2020/06/03/3
Published: 2020-06-03T12:40:26
Last Modified: 2024-08-04T07:01:41.113Z
Copied to clipboard!