CVE-2020-2320

Name of the Vulnerable Software and Affected Versions Jenkins Plugin Installation Manager Tool versions 2.1.3 and earlier

Description The issue is related to the Jenkins Plugin Installation Manager Tool not verifying plugin downloads, which may allow third parties to provide crafted plugin downloads. This can be exploited by mirror operators. The tool is used to download and install plugins even before Jenkins is running. The estimated number of potentially affected devices is not provided.

Recommendations For Jenkins Plugin Installation Manager Tool versions 2.1.3 and earlier, update the tool to version 2.2.0 by extending the Jenkins image and updating the tool with the following commands: ARG PLUGIN CLI URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.2.0/jenkins-plugin-manager-2.2.0.jar RUN curl -fsSL ${PLUGIN CLI URL} -o /usr/lib/jenkins-plugin-manager.jar Alternatively, use Docker images of Jenkins 2.269 and 2.263.1, or Jenkinsfile Runner [1.0-beta-22] Docker images, which include Plugin Installation Manager Tool 2.2.0.