PT-2020-15310 · Jenkins · Jenkins
Daniel Beck
+1
·
Published
2020-01-29
·
Updated
2024-03-06
·
CVE-2020-2103
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins versions 2.218 and earlier
Jenkins LTS versions 2.204.1 and earlier
Description
The issue allows attackers to obtain the HTTP session ID value from the
/whoAmI page, potentially exploiting a cross-site scripting vulnerability. This page shows various technical details about the current user, including user metadata that could contain the HTTP session ID in affected versions. The Cookie header value containing the HTTP session ID was previously redacted, but user metadata could still include this ID.Recommendations
For Jenkins versions 2.218 and earlier, update to version 2.219 or later to resolve the issue.
For Jenkins LTS versions 2.204.1 and earlier, update to version 2.204.2 or later to resolve the issue.
As a temporary workaround, consider restricting access to the
/whoAmI page until a patch is available.Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins