Multiple vulnerabilities in Jenkins Project Inheritance plugin
| Risk | Medium |
| Patch available | NO |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2020-2197 CVE-2020-2198 |
| CWE-ID | CWE-264 CWE-522 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Project Inheritance Web applications / Modules and components for CMS |
| Vendor | Jenkins |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU28577
Risk: Low
CVSSv3.1: 4 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-2197
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to the affected plugin does not require users to have Job/ExtendedRead permission to access Inheritance Project job configurations in XML format.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsProject Inheritance: 1.4.8 - 19.08.02
External linkshttp://www.openwall.com/lists/oss-security/2020/06/03/3
http://jenkins.io/security/advisory/2020-06-03/#SECURITY-1582
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Insufficiently protected credentials
EUVDB-ID: #VU28578
Risk: Medium
CVSSv3.1: 6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-2198
CWE-ID:
CWE-522 - Insufficiently Protected Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information on the system.
The vulnerability exists due to the affected plugin does not redact encrypted secrets in the "getConfigAsXML" API URL when transmitting job config.xml data to users without Job/Configure. A remote authenticated attacker can gain unauthorized access to sensitive information on the target system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsProject Inheritance: 1.4.8 - 19.08.02
External linkshttp://www.openwall.com/lists/oss-security/2020/06/03/3
http://jenkins.io/security/advisory/2020-06-03/#SECURITY-1582
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
