Fri. Jul 10th, 2020

Multiple vulnerabilities in Jenkins plugin

1 min read

On May 6, Jenkins officially released a security bulletin to fix 9 vulnerabilities in plug-ins, and 5 plug-ins were affected. Among them, the SCM Filter Jervis plug-in has a remote code execution vulnerability (CVE-2020-2189), which is officially rated as high risk. Since the SCM Filter Jervis plug-in does not configure the YAML parser by default, users can use the filter to configure the project, and can also operate the SCM has stored the configured project content. Credentials Binding plugin has two credential disclosure vulnerabilities (CVE-2020-2181, CVE-2020-2182). Copy Artifact plugin has improper permission verification vulnerability (CVE-2020-2183). CVS plugin exists cross-site request forgery vulnerability (CVE -2020-2184) and 4 vulnerabilities in the Amazon EC2 plug-in (CVE-2020-2185, CVE-2020-2186, CVE-2020-2187, CVE-2020-2188).jenkins

Affected Versions

  • Amazon EC2 Plugin up to and including 1.50.1
  • Copy Artifact Plugin up to and including 1.43.1
  • Credentials Binding Plugin up to and including 1.22
  • CVS Plugin up to and including 2.15
  • SCM Filter Jervis Plugin up to and including 0.2.1

Unaffected Versions

  • Amazon EC2 Plugin 1.50.2
  • Copy Artifact Plugin  1.44
  • Credentials Binding Plugin 1.23
  • CVS Plugin 2.16
  • SCM Filter Jervis Plugin 0.3

To ensure the security of the Jenkins server, it is recommended that relevant users upgrade the affected Jenkins plugin to th unaffected version.