API Permissions Issue in Jenkins Self-Organizing Swarm Plug-in Modules
CVE-2020-2191

4.3MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Self-organizing Swarm Plug-in Modules Plugin
Vendor
CVE Published:
3 June 2020

Summary

The Jenkins Self-Organizing Swarm Plug-in Modules Plugin versions 3.20 and earlier possess a significant API permissions issue. This vulnerability allows unauthorized users to add or remove agent labels without proper permissions, potentially leading to improper access control and manipulation of the Jenkins environment. As a result, administrators should take immediate action to secure their installations by updating to the latest version and reviewing user permissions thoroughly.

Affected Version(s)

Jenkins Self-Organizing Swarm Plug-in Modules Plugin <= 3.20

References

https://jenkins.io/security/advisory/2020-06-03/#SECURITY...
x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2020/06/03/3
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.