Vulnerability Description
Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Jenkins | <= 2.204.1 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2020/01/29/1Mailing ListThird Party Advisory
- https://access.redhat.com/errata/RHBA-2020:0402
- https://access.redhat.com/errata/RHBA-2020:0675
- https://access.redhat.com/errata/RHSA-2020:0681
- https://access.redhat.com/errata/RHSA-2020:0683
- https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1682Vendor Advisory
- http://www.openwall.com/lists/oss-security/2020/01/29/1Mailing ListThird Party Advisory
- https://access.redhat.com/errata/RHBA-2020:0402
- https://access.redhat.com/errata/RHBA-2020:0675
- https://access.redhat.com/errata/RHSA-2020:0681
- https://access.redhat.com/errata/RHSA-2020:0683
- https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1682Vendor Advisory
FAQ
What is CVE-2020-2099?
CVE-2020-2099 is a vulnerability with a CVSS score of 8.6 (HIGH). Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obt...
How severe is CVE-2020-2099?
CVE-2020-2099 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-2099?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Jenkins.