ID CVE-2020-2286
Summary Jenkins Role-based Authorization Strategy Plugin 3.0 and earlier does not properly invalidate a permission cache when the configuration is changed, resulting in permissions being granted based on an outdated configuration.
References
Vulnerable Configurations
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:1.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:1.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:1.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:1.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:1.1.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:1.1.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:1.1.2:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:1.1.2:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:1.1.3:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:1.1.3:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.1.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.1.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.2.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.2.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.3.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.3.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.3.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.3.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.3.2:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.3.2:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.4.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.4.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.5.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.5.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.5.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.5.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.6.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.6.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.6.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.6.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.7.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.7.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.8.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.8.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.8.1:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.8.1:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.8.2:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.8.2:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.9.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.9.0:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.10:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.10:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.11:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.11:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.12:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.12:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.13:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.13:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.14:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.14:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.15:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.15:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:2.16:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:2.16:*:*:*:*:jenkins:*:*
  • cpe:2.3:a:jenkins:role-based_authorization_strategy:3.0:*:*:*:*:jenkins:*:*
    cpe:2.3:a:jenkins:role-based_authorization_strategy:3.0:*:*:*:*:jenkins:*:*
CVSS
Base: 6.8 (as of 23-10-2020 - 18:27)
Impact:
Exploitability:
CWE CWE-863
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
refmap via4
confirm https://www.jenkins.io/security/advisory/2020-10-08/#SECURITY-1767
mlist [oss-security] 20201008 Multiple vulnerabilities in Jenkins plugins
Last major update 23-10-2020 - 18:27
Published 08-10-2020 - 13:15
Last modified 23-10-2020 - 18:27
Back to Top