PT-2020-15405 · Jenkins · Jenkins Self-Organizing Swarm Plug-In Modules Plugin+1
Oleg Nenashev
·
Published
2020-06-03
·
Updated
2023-10-25
·
CVE-2020-2191
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Self-Organizing Swarm Plug-in Modules Plugin versions 3.20 and earlier
Description
The issue concerns the lack of permission checks on API endpoints that allow adding and removing agent labels. This allows users with Agent/Create permission to modify labels of any agent. The affected API endpoints require only a global Swarm secret to use, without performing a regular permission check.
Recommendations
For Jenkins Self-Organizing Swarm Plug-in Modules Plugin versions 3.20 and earlier, update to version 3.21 or later, which requires Agent/Configure permission for the affected agent to access the API endpoints and no longer uses the global Swarm secret for these endpoints.
Fix
Improper Authorization
Incorrect Default Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jenkins
Jenkins Self-Organizing Swarm Plug-In Modules Plugin