CVE-2020-2196

Name of the Vulnerable Software and Affected Versions Jenkins Selenium Plugin versions 3.141.59 and earlier

Description The issue concerns a lack of CSRF protection for HTTP endpoints in the Jenkins Selenium Plugin, allowing attackers to perform administrative actions. Specifically, this enables attackers to restart the Selenium Grid hub, delete or replace the plugin configuration, and start, stop, or restart Selenium configurations on specific nodes. Through carefully chosen configuration parameters, these actions can result in OS command injection on the Jenkins controller.

Recommendations For Jenkins Selenium Plugin versions 3.141.59 and earlier, consider disabling access to the plugin's HTTP endpoints until a fix is available to prevent potential exploitation. Restricting configuration changes and node management can also help minimize the risk. As a temporary workaround, limit the ability to restart the Selenium Grid hub and modify plugin configurations to authorized personnel only.