PT-2020-15396 · Jenkins · Jenkins Artifactory Plugin+1

Jesse Glick

Published

2020-05-06

Updated

2023-10-25

CVE-2020-2183

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Copy Artifact Plugin versions 1.43.1 and earlier

Description The issue arises from improper permission checks, allowing attackers to copy artifacts from jobs they have no permission to access. This is particularly concerning for attackers with Job/Configure permission, as they can configure jobs to copy artifacts from restricted jobs. The estimated number of potentially affected devices worldwide is not available.

Recommendations For Jenkins Copy Artifact Plugin versions 1.43.1 and earlier, update to version 1.44 or later. After updating, switch from "Migration mode" to "Production mode" to enable the additional protections, noting that this may cause existing jobs to fail to copy artifacts.

Fix

Improper Authorization

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-276

Related Identifiers

CVE-2020-2183

GHSA-VV89-XGGX-QQH2

Affected Products

Jenkins

Jenkins Artifactory Plugin

PT-2020-15396 · Jenkins · Jenkins Artifactory Plugin+1

CVE-2020-2183

Weakness Enumeration

Related Identifiers

Affected Products

References · 7