PT-2020-15479 · Jenkins · Jenkins Blue Ocean Plugin+1
Jinchen Sheng
·
Published
2020-09-16
·
Updated
2023-10-25
·
CVE-2020-2255
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Blue Ocean Plugin versions 1.23.2 and earlier
Description
A missing permission check in the Jenkins Blue Ocean Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL. The HTTP request itself is legitimate, but only authorized users should be able to perform it. This issue affects several HTTP endpoints implementing connection tests.
Recommendations
For Jenkins Blue Ocean Plugin versions 1.23.2 and earlier, update to version 1.23.3 or later, which requires Item/Create permission to perform connection tests, thereby addressing the missing permission check issue.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Blue Ocean Plugin