CWE
276 285
Advisory Published
Advisory Published
Updated

CVE-2020-2197

First published: Wed Jun 03 2020(Updated: )

Jenkins limits access to job configuration XML data (`config.xml`) to users with Job/ExtendedRead permission, typically implied by Job/Configure permission. Project Inheritance Plugin has several job inspection features, including the API URL `/job/…​/getConfigAsXML` for its Inheritance Project job type that does something similar. Project Inheritance Plugin 21.04.03 and earlier does not check permissions for this new endpoint, granting access to job configuration XML data to every user with Job/Read permission. Additionally, the encrypted values of secrets stored in the job configuration are not redacted, as they would be by the `config.xml` API for users without Job/Configure permission.

Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com

Affected SoftwareAffected VersionHow to fix
Jenkins Project Inheritance<=19.08.02
maven/hudson.plugins:project-inheritance<=21.04.03

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is the severity of CVE-2020-2197?

    The severity of CVE-2020-2197 is medium (4.3).

  • What is the vulnerability description of CVE-2020-2197?

    CVE-2020-2197 is a vulnerability in the Jenkins Project Inheritance Plugin that allows unauthorized access to job configuration XML data.

  • What is the affected software of CVE-2020-2197?

    The affected software of CVE-2020-2197 is Jenkins Project Inheritance Plugin version up to 19.08.02 and hudson.plugins:project-inheritance version up to 21.04.03.

  • How can the vulnerability be exploited?

    The vulnerability can be exploited by using the API URL /job/.../getConfigAsXML to access job configuration XML data without proper permission.

  • Is there a fix available for CVE-2020-2197?

    Yes, a fix is available for CVE-2020-2197. It is recommended to update to a fixed version of the Jenkins Project Inheritance Plugin.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203