CVE-2020-2099

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.213 and earlier Jenkins LTS versions 2.204.1 and earlier

Description The issue arises from the improper reuse of encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents. This can be used to connect to Jenkins, impersonating those agents. The protocol was deprecated in 2018 and removed from Jenkins in version 2.214. However, it could still be enabled in older versions.

Recommendations For Jenkins versions 2.213 and earlier, update to version 2.214 or later to completely remove the vulnerable Inbound TCP Agent Protocol/3. For Jenkins LTS versions 2.204.1 and earlier, update to version 2.204.2 or later, and avoid setting the system property jenkins.slaves.JnlpSlaveAgentProtocol3.ALLOW UNSAFE to true, as this would re-enable the vulnerable protocol.