Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Health Advisor by CloudBees Plugin 3.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.

Affected Packages

Maven org.jenkins-ci.plugins:cloudbees-jenkins-advisor

Affected versions: 0 (fixed in 3.0.1)

Related CVEs

CVE-2020-2094

Key Information

GHSA ID

GHSA-h72v-652w-xv64

Published

May 24, 2022 5:06 PM

Last Modified

December 21, 2022 4:43 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:cloudbees-jenkins-advisor

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 3, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.