CVE-2020-2099

high

Description

Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents.

References

https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1682

https://access.redhat.com/errata/RHSA-2020:0683

https://access.redhat.com/errata/RHSA-2020:0681

https://access.redhat.com/errata/RHBA-2020:0675

https://access.redhat.com/errata/RHBA-2020:0402

http://www.openwall.com/lists/oss-security/2020/01/29/1

Details

Source: Mitre, NVD

Published: 2020-01-29

Updated: 2023-10-25

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Severity: High