Missing Permission Check in Jenkins Amazon EC2 Plugin Affects User Access
CVE-2020-2091

8.1HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Amazon Ec2 Plugin
Vendor: CVE Published:; 15 January 2020

Summary

A flaw in Jenkins Amazon EC2 Plugin versions 1.47 and earlier allows attackers with Overall/Read permissions to exploit a missing permission check. This vulnerability enables them to connect to an attacker-specified URL within the AWS region, using credentials that they can obtain through other exploitative means. This access could potentially lead to unauthorized modifications and expose sensitive data within the AWS environment.

Affected Version(s)

Jenkins Amazon EC2 Plugin <= 1.47

Jenkins Amazon EC2 Plugin 1.46.2

Jenkins Amazon EC2 Plugin 1.42.2

References

https://jenkins.io/security/advisory/2020-01-15/#SECURITY...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 15, 2020
Vulnerability Reserved
Dec 5, 2019