CVE-2020-2103
published 2020-01-29CVE-2020-2103: Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page.
PriorityP338medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
7.04%
93.4th percentile
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | code_coverage_plugin | — | — |
| jenkins | fortify_plugin | — | — |
| jenkins | jenkins | <= 2.204.1 | — |
| jenkins | jenkins | <= 2.218 | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | websphere_deployer_plugin | — | — |
| jenkins_project | jenkins | unspecified – 2.218 | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
vendor_redhat5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Jenkins
Jenkins Security Advisory 2020-01-29
vendor_jenkins·2020-01-29·CVSS 8.6
CVE-2020-2099 [HIGH] Jenkins Security Advisory 2020-01-29
Title: Jenkins Security Advisory 2020-01-29
Jenkins Security Advisory 2020-01-29
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
Code Coverage
Plugin
Fortify
Plugin
WebSphere Deployer
Plugin
Descriptions
Inbound TCP Agent Protocol/3 authentication bypass
SECURITY-1682
/
CVE-2020-2099
Se
Red Hat
jenkins: Exposed session identifiers on user detail object in the whoAmI diagnostic page
vendor_redhat·2020-01-29·CVSS 5.4
CVE-2020-2103 [MEDIUM] CWE-200 jenkins: Exposed session identifiers on user detail object in the whoAmI diagnostic page
jenkins: Exposed session identifiers on user detail object in the whoAmI diagnostic page
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page.
OSV
Jenkins Diagnostic page exposed session cookies
osv·2022-05-24
CVE-2020-2103 [MEDIUM] Jenkins Diagnostic page exposed session cookies
Jenkins Diagnostic page exposed session cookies
Jenkins shows various technical details about the current user on the `/whoAmI` page. In [a previous fix](https://www.jenkins.io/security/advisory/2019-09-25/#SECURITY-1505), the `Cookie` header value containing the HTTP session ID was redacted. However, user metadata shown on this page could also include the HTTP session ID in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier.
This allows attackers able to exploit a cross-site scripting vulnerability to obtain the HTTP session ID value from this page.
Jenkins 2.219, LTS 2.204.2 no longer prints out the affected user metadata that might contain the HTTP session ID.
Additionally, we also redact values of further authentication-related HTTP headers in addition to `Cookie` on this page as a
GHSA
Jenkins Diagnostic page exposed session cookies
ghsa·2022-05-24
CVE-2020-2103 [MEDIUM] CWE-200 Jenkins Diagnostic page exposed session cookies
Jenkins Diagnostic page exposed session cookies
Jenkins shows various technical details about the current user on the `/whoAmI` page. In [a previous fix](https://www.jenkins.io/security/advisory/2019-09-25/#SECURITY-1505), the `Cookie` header value containing the HTTP session ID was redacted. However, user metadata shown on this page could also include the HTTP session ID in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier.
This allows attackers able to exploit a cross-site scripting vulnerability to obtain the HTTP session ID value from this page.
Jenkins 2.219, LTS 2.204.2 no longer prints out the affected user metadata that might contain the HTTP session ID.
Additionally, we also redact values of further authentication-related HTTP headers in addition to `Cookie` on this page as a
Project0
Project Zero RCA: CVE-2020-15999: FreeType Heap Buffer Overflow in Load_SBit_Png
project_zero·CVSS 9.6
CVE-2020-15999 [CRITICAL] Project Zero RCA: CVE-2020-15999: FreeType Heap Buffer Overflow in Load_SBit_Png
# CVE-2020-15999: FreeType Heap Buffer Overflow in Load_SBit_Png
*Sergei Glazunov, Project Zero (Originally posted on [Project Zero blog](https://googleprojectzero.blogspot.com/p/rca.html) 2021-02-04)*
## The Basics
**Disclosure or Patch Date:** 19 October 2020
**Product:** Google Chrome/ Freetype
**Advisory:** https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html
**Affected Versions:** 86.0.4240.80 and previous
**First Patched Version:** 86.0.4240.111
**Issue/Bug Report:**
* Project Zero: https://bugs.chromium.org/p/project-zero/issues/detail?id=2103
* Chromium: https://bugs.chromium.org/p/chromium/issues/detail?id=1139963
* FreeType: https://savannah.nongnu.org/bugs/?59308
**Patch CL:**
* Chromium: https://chromium.googlesource.com/chromium/src
No detection rules found.
Nuclei
Jenkins <=2.218 - Information Disclosure
nuclei·CVSS 5.4
CVE-2020-2103 [MEDIUM] Jenkins <=2.218 - Information Disclosure
Jenkins <=2.218 - Information Disclosure
Jenkins through 2.218, LTS 2.204.1 and earlier, is susceptible to information disclosure. An attacker can access exposed session identifiers on a user detail object in the whoAmI diagnostic page and thus potentially access sensitive information, modify data, and/or execute unauthorized operations.
Template:
id: CVE-2020-2103
info:
name: Jenkins <=2.218 - Information Disclosure
author: c-sh0
severity: medium
description: Jenkins through 2.218, LTS 2.204.1 and earlier, is susceptible to information disclosure. An attacker can access exposed session identifiers on a user detail object in the whoAmI diagnostic page and thus potentially access sensitive information, modify data, and/or execute unauthorized operations.
impact: |
An attacker can exploi
Bugzilla
CVE-2020-2103 jenkins: Exposed session identifiers on user detail object in the whoAmI diagnostic page [fedora-all]
bugzilla·2020-01-31·CVSS 5.4
CVE-2020-2103 [MEDIUM] CVE-2020-2103 jenkins: Exposed session identifiers on user detail object in the whoAmI diagnostic page [fedora-all]
CVE-2020-2103 jenkins: Exposed session identifiers on user detail object in the whoAmI diagnostic page [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this iss
Bugzilla
CVE-2020-2103 jenkins: Exposed session identifiers on user detail object in the whoAmI diagnostic page
bugzilla·2020-01-31·CVSS 5.4
CVE-2020-2103 [MEDIUM] CVE-2020-2103 jenkins: Exposed session identifiers on user detail object in the whoAmI diagnostic page
CVE-2020-2103 jenkins: Exposed session identifiers on user detail object in the whoAmI diagnostic page
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier exposed session identifiers on a user's detail object in the whoAmI diagnostic page.
References:
https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1695
https://www.openwall.com/lists/oss-security/2020/01/29/1
Discussion:
Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1797063]
---
"Any security advisory related updates to Jenkins core or the plugins we include in the OpenShift Jenkins master image will only occur in the v3.11 and v4.x branches of this repository."
https://github.com/openshift/jenkins/blob/master/README.md#jenkins-security-advisories-the-master-image-from-this-repository-and-the-oc-b
http://www.openwall.com/lists/oss-security/2020/01/29/1https://access.redhat.com/errata/RHBA-2020:0402https://access.redhat.com/errata/RHBA-2020:0675https://access.redhat.com/errata/RHSA-2020:0681https://access.redhat.com/errata/RHSA-2020:0683https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1695http://www.openwall.com/lists/oss-security/2020/01/29/1https://access.redhat.com/errata/RHBA-2020:0402https://access.redhat.com/errata/RHBA-2020:0675https://access.redhat.com/errata/RHSA-2020:0681https://access.redhat.com/errata/RHSA-2020:0683https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1695
2020-01-29
Published