Description

Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents.

Remediation

References

CVE-2020-2099

Related Vulnerabilities

WordPress Plugin Admin Columns CSV Injection (3.4.6)

PostgreSQL Improper Access Control Vulnerability (CVE-2016-0768)

WordPress Plugin WebP Express Arbitrary File Disclosure (0.14.10)

WordPress 5.8.x Multiple Vulnerabilities (5.8 - 5.8.4)

ownCloud Improper Input Validation Vulnerability (CVE-2012-2270)

Severity

High

Classification

CVE-2020-2099 CWE-330 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Tags

Missing Update Known Vulnerabilities