CVE-2020-2306

Name of the Vulnerable Software and Affected Versions Jenkins Mercurial Plugin versions 2.11 and earlier Jenkins Mercurial Plugin versions prior to 2.12

Description A missing permission check in the Jenkins Mercurial Plugin allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations. This issue is related to an HTTP endpoint that does not perform a permission check, enabling attackers to access sensitive information.

Recommendations For Jenkins Mercurial Plugin versions 2.11 and earlier, update to version 2.12 or later to resolve the issue. For Jenkins Mercurial Plugin versions prior to 2.12, update to version 2.12 or later to resolve the issue. As a temporary workaround, consider restricting access to the HTTP endpoint related to Mercurial installations to minimize the risk of exploitation.