CVE-2020-2197

Name of the Vulnerable Software and Affected Versions Jenkins Project Inheritance Plugin versions 21.04.03 and earlier Jenkins Project Inheritance Plugin version 19.08.02 and earlier

Description The issue allows access to Inheritance Project job configurations in XML format without requiring the necessary Job/ExtendedRead permission. Typically, Jenkins limits access to job configuration XML data (config.xml) to users with Job/ExtendedRead permission, which is often implied by Job/Configure permission. The Project Inheritance Plugin has a job inspection feature using the API URL "/job/…/getConfigAsXML" for its Inheritance Project job type. This endpoint does not check permissions, granting access to job configuration XML data to every user with Job/Read permission. Furthermore, encrypted values of secrets stored in the job configuration are not redacted for users without Job/Configure permission.

Recommendations For Jenkins Project Inheritance Plugin versions 21.04.03 and earlier, consider disabling the /job/…/getConfigAsXML API endpoint until a patch is available. For Jenkins Project Inheritance Plugin version 19.08.02 and earlier, restrict access to the Inheritance Project job configurations to minimize the risk of exploitation. Avoid using the config.xml API for users without Job/Configure permission until the issue is resolved.