ByteOS Network

NVD Vulnerability Details :

CVE-2020-2099

Modified

Source-jenkinsci-cert@googlegroups.com

Published At-29 Jan, 2020 | 16:15

Updated At-25 Oct, 2023 | 18:16

Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	8.6	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Primary	2.0	7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P

Type: Primary

Version: 3.1

Base score: 8.6

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Type: Primary

Version: 2.0

Base score: 7.5

Base severity: HIGH

Vector:

AV:N/AC:L/Au:N/C:P/I:P/A:P

CPE Matches

Jenkins

>>jenkins>>Versions up to 2.204.1(inclusive)

cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*

Jenkins

>>jenkins>>Versions up to 2.218(inclusive)

cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-330	Primary	nvd@nist.gov

CWE ID: CWE-330

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
http://www.openwall.com/lists/oss-security/2020/01/29/1	jenkinsci-cert@googlegroups.com	Mailing List Third Party Advisory
https://access.redhat.com/errata/RHBA-2020:0402	jenkinsci-cert@googlegroups.com	N/A
https://access.redhat.com/errata/RHBA-2020:0675	jenkinsci-cert@googlegroups.com	N/A
https://access.redhat.com/errata/RHSA-2020:0681	jenkinsci-cert@googlegroups.com	N/A
https://access.redhat.com/errata/RHSA-2020:0683	jenkinsci-cert@googlegroups.com	N/A
https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1682	jenkinsci-cert@googlegroups.com	Vendor Advisory