CVE-2020-2255 - A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Ove

CVE-2020-2255

Summary

A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

References

Vulnerable Configurations

cpe:2.3:a:jenkins:blue_ocean:1.0.0:-:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:-:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta09:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta09:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta10:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta10:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta11:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta11:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta12:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta12:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta13:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta13:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta14:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta14:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta15:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta15:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta16:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta16:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta17:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta17:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta18:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta18:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta19:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta19:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta20:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta20:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta21:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta21:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta22:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta22:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta23:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta23:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta24:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta24:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta25:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:beta25:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:rc1:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:rc1:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:rc2:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:rc2:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:rc3:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:rc3:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:rc4:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.0:rc4:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.0.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.1.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.1.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.1.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.1.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.1.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.1.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.1.3:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.1.3:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.1.4:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.1.4:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.1.5:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.1.5:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.1.6:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.1.6:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.1.7:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.1.7:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.0:-:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.0:-:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.0:beta1:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.0:beta1:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.0:beta2:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.0:beta2:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.0:beta3:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.0:beta3:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.0:beta4:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.0:beta4:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.0:beta5:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.0:beta5:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.0:beta6:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.0:beta6:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.0:beta7:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.0:beta7:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.3:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.3:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.4:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.2.4:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.3.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.3.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.3.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.3.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.3.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.3.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.3.3:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.3.3:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.3.4:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.3.4:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.3.5:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.3.5:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.4.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.4.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.4.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.4.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.4.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.4.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.5.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.5.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.5.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.5.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.5.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.5.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.6.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.6.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.6.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.6.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.6.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.6.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.7.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.7.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.7.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.7.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.7.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.7.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.8.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.8.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.8.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.8.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.8.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.8.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.8.3:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.8.3:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.8.4:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.8.4:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.9.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.9.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.10.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.10.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.10.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.10.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.10.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.10.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.11.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.11.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.13.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.13.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.13.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.13.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.14.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.14.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.15.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.15.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.15.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.15.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.16.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.16.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.17.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.17.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.18:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.18:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.18.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.18.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.19:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.19:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.19.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.19.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.21:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.21:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.22:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.22:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.22.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.22.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.23:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.23:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.23.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.23.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.23.2:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:blue_ocean:1.23.2:*:*:*:*:jenkins:*:*

CVSS

Base:	4.0 (as of 25-10-2023 - 18:16)
Impact:
Exploitability:

CWE

CWE-862

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	SINGLE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:L/Au:S/C:N/I:P/A:N

redhat via4

rpms

containers-common-1:1.1.1-2.rhaos4.6.el8
jenkins-2-plugins-0:4.6.1601368321-1.el8
openshift-clients-0:4.6.0-202010081244.p0.git.3794.4743d24.el7
openshift-clients-0:4.6.0-202010081244.p0.git.3794.4743d24.el8
openshift-clients-redistributable-0:4.6.0-202010081244.p0.git.3794.4743d24.el7
openshift-clients-redistributable-0:4.6.0-202010081244.p0.git.3794.4743d24.el8
podman-0:1.9.3-3.rhaos4.6.el8
podman-debuginfo-0:1.9.3-3.rhaos4.6.el8
podman-debugsource-0:1.9.3-3.rhaos4.6.el8
podman-docker-0:1.9.3-3.rhaos4.6.el8
podman-remote-0:1.9.3-3.rhaos4.6.el8
podman-remote-debuginfo-0:1.9.3-3.rhaos4.6.el8
podman-tests-0:1.9.3-3.rhaos4.6.el8
runc-0:1.0.0-81.rhaos4.6.git5b757d4.el7
runc-0:1.0.0-81.rhaos4.6.git5b757d4.el8
runc-debuginfo-0:1.0.0-81.rhaos4.6.git5b757d4.el7
runc-debuginfo-0:1.0.0-81.rhaos4.6.git5b757d4.el8
runc-debugsource-0:1.0.0-81.rhaos4.6.git5b757d4.el8
skopeo-1:1.1.1-2.rhaos4.6.el8
skopeo-debuginfo-1:1.1.1-2.rhaos4.6.el8
skopeo-debugsource-1:1.1.1-2.rhaos4.6.el8
skopeo-tests-1:1.1.1-2.rhaos4.6.el8
jenkins-2-plugins-0:3.11.1603460090-1.el7

refmap via4

confirm	https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1961
mlist	[oss-security] 20200916 Multiple vulnerabilities in Jenkins plugins

Last major update

25-10-2023 - 18:16

Published

16-09-2020 - 14:15

Last modified

25-10-2023 - 18:16