CVE-2020-2094

CWE-862 — Missing Authorization5 documents5 sources

Severity

4.3MEDIUM

EPSS

0.1%

top 80.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Health Advisor BY Cloudbees Plugin Jenkins Health Advisor BY Cloudbees

Timeline

PublishedJan 15

Latest updateMay 24

Description

A missing permission check in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers with Overall/Read permission to send a fixed email to an attacker-specific recipient.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5jenkins_project/jenkins_health_advisor_by_cloudbees_pluginunspecified — 3.0

▶Mavenorg.jenkins-ci.plugins:cloudbees-jenkins-advisor< 3.0.1

▶NVDjenkins/health_advisor_by_cloudbees3.0

🔴Vulnerability Details

GHSA

Missing permission checks in Health Advisor by CloudBees Plugin↗2022-05-24

▶

OSV

Missing permission checks in Health Advisor by CloudBees Plugin↗2022-05-24

▶

CVEList

CVE-2020-2094: A missing permission check in Jenkins Health Advisor by CloudBees Plugin 3↗2020-01-15

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2020-01-15↗2020-01-15

▶