CVE-2020-2192

Name of the Vulnerable Software and Affected Versions Jenkins Self-Organizing Swarm Plug-in Modules Plugin versions 3.20 and earlier

Description A cross-site request forgery issue allows attackers to add or remove agent labels. The Swarm Plugin adds API endpoints to manage agent labels, but in versions 3.20 and earlier, these endpoints only require a global Swarm secret and do not perform regular permission checks. This allows users with Agent/Create permission to modify labels of any agent. Furthermore, these API endpoints can be exploited without requiring POST requests, leading to a cross-site request forgery vulnerability.

Recommendations For Jenkins Self-Organizing Swarm Plug-in Modules Plugin versions 3.20 and earlier, update to version 3.21 or later, which requires POST requests and Agent/Configure permission for the affected agent to access the API endpoints, and no longer uses the global Swarm secret for these operations.