PT-2020-15418 · Jenkins · Jenkins Fortify On Demand Plugin+1

Daniel Beck

Published

2020-07-02

Updated

2023-10-25

CVE-2020-2204

CVSS v2.0

5.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Fortify on Demand Plugin versions 5.0.1 and earlier

Description A missing permission check in the Jenkins Fortify on Demand Plugin allows attackers with Overall/Read permission to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs.

Recommendations For Jenkins Fortify on Demand Plugin versions 5.0.1 and earlier, update to version 6.0.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the globally configured Fortify on Demand endpoint to minimize the risk of exploitation.

Fix

Improper Authorization

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-862

Related Identifiers

CVE-2020-2204

GHSA-FHMF-XF2Q-4M8P

Affected Products

Jenkins

Jenkins Fortify On Demand Plugin

PT-2020-15418 · Jenkins · Jenkins Fortify On Demand Plugin+1

CVE-2020-2204

Weakness Enumeration

Related Identifiers

Affected Products

References · 9