CVE-2020-2099 Information
Feb 14, 2021
cve
Description
Jenkins 2.213 and earlier LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3 allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents which can be used to connect to Jenkins impersonating those agents.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Reference
http://www.openwall.com/lists/oss-security/2020/01/29/1 https://access.redhat.com/errata/RHBA-2020:0402 https://access.redhat.com/errata/RHBA-2020:0675 https://access.redhat.com/errata/RHSA-2020:0681 https://access.redhat.com/errata/RHSA-2020:0683 https://jenkins.io/security/advisory/2020-01-29/SECURITY-1682
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
LOW
Base Score
LOW
Base Severity
8.6
Share on: