CVE-2020-2254

Name of the Vulnerable Software and Affected Versions Jenkins Blue Ocean Plugin versions 1.23.2 and earlier

Description The issue concerns an undocumented feature flag that allows an attacker with specific permissions to read arbitrary files on the Jenkins controller file system. The flag blueocean.features.GIT READ SAVE TYPE can be set to the value clone to enable this capability, affecting users with Item/Configure or Item/Create permission.

Recommendations For Jenkins Blue Ocean Plugin versions 1.23.2 and earlier, consider updating to version 1.23.3 or later, which no longer includes the vulnerable feature and redirects existing usage to a safer alternative.