First published: Wed Jun 03 2020(Updated: )
Jenkins limits access to job configuration XML data (`config.xml`) to users with Job/ExtendedRead permission, typically implied by Job/Configure permission. Project Inheritance Plugin has several job inspection features, including the API URL `/job/…/getConfigAsXML` for its Inheritance Project job type that does something similar. Project Inheritance Plugin 21.04.03 and earlier does not check permissions for this new endpoint, granting access to job configuration XML data to every user with Job/Read permission. Additionally, the encrypted values of secrets stored in the job configuration are not redacted, as they would be by the `config.xml` API for users without Job/Configure permission.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
Jenkins Project Inheritance | <=19.08.02 | |
maven/hudson.plugins:project-inheritance | <=21.04.03 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2020-2197 is medium (4.3).
CVE-2020-2197 is a vulnerability in the Jenkins Project Inheritance Plugin that allows unauthorized access to job configuration XML data.
The affected software of CVE-2020-2197 is Jenkins Project Inheritance Plugin version up to 19.08.02 and hudson.plugins:project-inheritance version up to 21.04.03.
The vulnerability can be exploited by using the API URL /job/.../getConfigAsXML to access job configuration XML data without proper permission.
Yes, a fix is available for CVE-2020-2197. It is recommended to update to a fixed version of the Jenkins Project Inheritance Plugin.