CVE-2020-2117

CWE-276 — Incorrect Default Permissions CWE-285 CWE-416 — Use After Free6 documents6 sources

Severity

4.3MEDIUM

EPSS

0.0%

top 91.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Pipeline Github Notify Step Plugin Jenkins Pipeline Github Notify Step

Timeline

PublishedFeb 12

Latest updateAug 19

Description

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:pipeline-githubnotify-step< 1.0.5

▶CVEListV5jenkins_project/jenkins_pipeline_github_notify_step_pluginunspecified — 1.0.4

▶NVDjenkins/pipeline_github_notify_step1.0.4

🔴Vulnerability Details

OSV

Missing permission checks in Pipeline GitHub Notify Step Plugin allows capturing credentials↗2022-05-24

▶

GHSA

Missing permission checks in Pipeline GitHub Notify Step Plugin allows capturing credentials↗2022-05-24

▶

CVEList

CVE-2020-2117: A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1↗2020-02-12

▶

📋Vendor Advisories

Red Hat

podman: Security regression of CVE-2020-8945 due to source code management issue↗2022-08-19

▶

Jenkins

Jenkins Security Advisory 2020-02-12↗2020-02-12

▶