Jenkins < 2.214, < 2.204.2 LTS Authentication Bypass Vulnerability (Linux)

Published: 2020-02-04 03:31:41
CVE Author: NIST National Vulnerability Database (NVD)

CVSS Base Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Detection Type:
Remote Banner Unreliable

Solution Type:
Vendor Patch

Summary:
Jenkins is prone to an inbound TCP Agent Protocol/3 authentication bypass vulnerability.

Detection Method:
Checks if a vulnerable version is present on the target host.

Technical Details:
Jenkins includes support for the Inbound TCP Agent Protocol/3 for communication between master and agents. While this protocol has been deprecated in 2018 and was recently removed from Jenkins in 2.214, it could still easily be enabled in Jenkins LTS 2.204.1, 2.213, and older. This protocol incorrectly reuses encryption parameters which allow an unauthenticated remote attacker to determine the connection secret. This secret can then be used to connect attacker-controlled Jenkins agents to the Jenkins master.

Affected Versions:
Jenkins version 2.213 and prior and 2.204.1 LTS and prior.

Recommendations:
Update to version 2.214, 2.204.2 LTS or later.

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2020-2099

References:

https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1682

Search
Severity
High
CVSS Score
7.5

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.