CVE-2020-2320: Jenkins Plugin Installation Manager Tool RCE
Virsec Security Research Lab Vulnerability Analysis
The Virsec Security Research Lab provides timely, relevant analysis about recent and notable security vulnerabilities.
1.1 Vulnerability Summary
Jenkins Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads. This may allow third parties such as mirror operators to provide crafted plugin downloads.
Watch the video to learn more about this and other important vulnerabilities.
1.2 CVSS Score
The CVSS Base score of this vulnerability is 7.8 High. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1.3 Affected Version
Jenkins Plugin Installation Manager Tool 2.1.3 and earlier
1.4 Vulnerability Attribution
This vulnerability is disclosed by Jenkins.
1.5 Risk Impact
Jenkins is an open-source automation server that helps to automate building, testing, and deploying software in the CI/CD pipeline. It is integrated with project management software (JIRA), incident filing tools (Bugzilla), static analysis tools (Veracode), Legal Compliance tools (Black Duck), build tools (Ant, Maven) and version control tools (Subversion, Git). Millions of instances of Jenkins server are in use worldwide. Exploiting this vulnerability can lead to attacker planting a backdoor and affecting the entire organization leaking out important software codes and information. There are no publicly available exploits.
1.6 Virsec Security Platform (VSP) Support:
The Virsec Security Platform (VSP)- Host monitors processes that are spawned which are not part of a set of whitelisted process. Any attempt to execute new command or unknown binary would be denied by VSP-Host’s Process Monitoring capability.
1.7 Reference Links:
Download the full vulnerability report to learn more about this and other important vulnerabilities.