CVE-2020-2254

CWE-22Path Traversal7 documents7 sources
Severity
6.5MEDIUM
EPSS
2.4%
top 14.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Blue Ocean PluginJenkins Blue Ocean
Timeline
PublishedSep 16
Latest updateMay 24

Description

Jenkins Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag that, when enabled, allows an attacker with Job/Configure or Job/Create permission to read arbitrary files on the Jenkins controller file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

CVEListV5jenkins_project/jenkins_blue_ocean_pluginunspecified1.23.2
NVDjenkins/blue_ocean1.23.2

🔴Vulnerability Details

3
OSV
Path traversal vulnerability in Blue Ocean Plugin2022-05-24
GHSA
Path traversal vulnerability in Blue Ocean Plugin2022-05-24
CVEList
CVE-2020-2254: Jenkins Blue Ocean Plugin 12020-09-16

📋Vendor Advisories

2
Red Hat
jenkins-2-plugins/blueocean: Path traversal vulnerability in Blue Ocean Plugin could allow to read arbitrary files2020-09-16
Jenkins
Jenkins Security Advisory 2020-09-162020-09-16

💬Community

1
Bugzilla
CVE-2020-2254 jenkins-2-plugins/blueocean: Path traversal vulnerability in Blue Ocean Plugin could allow to read arbitrary files2020-09-18