CVE-2020-2255 - Vulnerability Details - OpenCVE

A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Jenkins	Blue Ocean
Redhat	Openshift

Configuration 1 [-]

cpe:2.3:a:jenkins:blue_ocean:*:*:*:*:*:jenkins:*:*

Package	CPE	Advisory	Released Date
Red Hat OpenShift Container Platform 3.11
jenkins-2-plugins-0:3.11.1603460090-1.el7	cpe:/a:redhat:openshift:3.11::el7	RHSA-2020:5102	2020-11-17T00:00:00Z
Red Hat OpenShift Container Platform 4.6
jenkins-2-plugins-0:4.6.1601368321-1.el8	cpe:/a:redhat:openshift:4.6::el8	RHSA-2020:4297	2020-10-27T00:00:00Z

References

Link	Providers
http://www.openwall.com/lists/oss-security/2020/09/16/3
https://nvd.nist.gov/vuln/detail/CVE-2020-2255
https://www.cve.org/CVERecord?id=CVE-2020-2255
https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1961
https://www.openwall.com/lists/oss-security/2020/09/16/3

History

No history.

MITRE

Status: PUBLISHED

Assigner: jenkins

Published: 2020-09-16T13:20:40

Updated: 2024-08-04T07:01:41.230Z

Reserved: 2019-12-05T00:00:00

Link: CVE-2020-2255

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-09-16T14:15:13.237

Modified: 2024-11-21T05:25:06.433

Link: CVE-2020-2255

Redhat

Severity : Moderate

Publid Date: 2020-09-16T00:00:00Z

Links: CVE-2020-2255 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "Jenkins Blue Ocean Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "1.23.2", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"status": "unaffected", "version": "1.19.2"}]}], "descriptions": [{"lang": "en", "value": "A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T16:07:57.668Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1961"}, {"name": "[oss-security] 20200916 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2020/09/16/3"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2020-2255", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins Blue Ocean Plugin", "version": {"version_data": [{"version_affected": "<=", "version_value": "1.23.2"}, {"version_affected": "!", "version_value": "1.19.2"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-862: Missing Authorization"}]}]}, "references": {"reference_data": [{"name": "https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1961", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1961"}, {"name": "[oss-security] 20200916 Multiple vulnerabilities in Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2020/09/16/3"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T07:01:41.230Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1961"}, {"name": "[oss-security] 20200916 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2020/09/16/3"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2020-2255", "datePublished": "2020-09-16T13:20:40", "dateReserved": "2019-12-05T00:00:00", "dateUpdated": "2024-08-04T07:01:41.230Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:blue_ocean:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "B3432A51-DB0A-4834-BCBF-FD069730BFE4", "versionEndIncluding": "1.23.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL."}, {"lang": "es", "value": "Una falta de comprobaci\u00f3n de permisos en Jenkins Blue Ocean Plugin versiones 1.23.2 y anteriores, permite a atacantes con permiso Overall/Read conectarse a una URL especificada por el atacante"}], "id": "CVE-2020-2255", "lastModified": "2024-11-21T05:25:06.433", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-16T14:15:13.237", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/09/16/3"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1961"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/09/16/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1961"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}]}