CVE-2020-2186

Name of the Vulnerable Software and Affected Versions Jenkins Amazon EC2 Plugin versions 1.50.1 and earlier

Description A cross-site request forgery issue allows attackers to provision instances. The vulnerability is due to the plugin not requiring POST requests in several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities. This allows an attacker to provision instances with an attacker-specified template ID.

Recommendations For Jenkins Amazon EC2 Plugin versions 1.50.1 and earlier, update to version 1.50.2 or later, which requires POST requests for the affected HTTP endpoints.