CVE-2020-2090

Name of the Vulnerable Software and Affected Versions Jenkins Amazon EC2 Plugin versions 1.47 and earlier

Description A cross-site request forgery issue allows attackers to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method. The vulnerability is due to the lack of permission checks in methods performing form validation, which can be exploited by users with Overall/Read access to Jenkins. This might also potentially allow attackers to capture credentials stored in Jenkins, although this has not been confirmed. The form validation methods are also vulnerable to CSRF as they do not require POST requests.

Recommendations For Jenkins Amazon EC2 Plugin versions 1.47 and earlier, update to version 1.48 or later, which requires POST requests and Overall/Administer permission for the affected form validation methods, mitigating the issue.