CVE-2020-2204: A missing permission check in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers with Overall/Read permission to connect to the globally…

medium5.4CVSS 3.1

AVNACLPRLUINSUCLILAN

A missing permission check in Jenkins Fortify on Demand Plugin 5.0.1 and earlier allows attackers with Overall/Read permission to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs.

Affected

18 ranges

Vendor	Product	Version range	Fixed in
jenkins	cd_plugin	—	—
jenkins	compatibility_action_storage_plugin	—	—
jenkins	fortify_on_demand	<= 5.0.1	—
jenkins	fortify_on_demand_plugin	—	—
jenkins	github_coverage_reporter_plugin	—	—
jenkins	hp_alm_quality_center_plugin	—	—
jenkins	ids_in_fortify_on_demand_plugin	—	—
jenkins	ids_to_allow_users_configuring_the_plugin	—	—
jenkins	link_column_plugin	—	—
jenkins	slack_upload_plugin	—	—
jenkins	sonargraph_integration_plugin	—	—
jenkins	stash_branch_parameter_plugin	—	—
jenkins	testcomplete_support_plugin	—	—
jenkins	vncrecorder_plugin	—	—
jenkins	vncviewer_plugin	—	—
jenkins	zap_pipeline_plugin	—	—
jenkins	zephyr_for_jira_test_management_plugin	—	—
jenkins_project	jenkins_fortify_on_demand_plugin	unspecified – 5.0.1	—