ghsa-qp4f-2w67-c8hw
Vulnerability from github
Jenkins 2.213 and earlier, LTS 2.204.1 and earlier includes support for the Inbound TCP Agent Protocol/3 for communication between controller and agents. While this protocol has been deprecated in 2018 and was recently removed from Jenkins in 2.214, it could still easily be enabled in Jenkins LTS 2.204.1, 2.213, and older.
This protocol incorrectly reuses encryption parameters which allow an unauthenticated remote attacker to determine the connection secret. This secret can then be used to connect attacker-controlled Jenkins agents to the Jenkins controller.
Jenkins 2.204.2 no longer allows for the use of Inbound TCP Agent Protocol/3 by default. The system property jenkins.slaves.JnlpSlaveAgentProtocol3.ALLOW_UNSAFE
can be set to true
to allow enabling the Inbound TCP Agent Protocol/3 in Jenkins 2.204.2, but doing so is strongly discouraged.
Inbound TCP Agent Protocol/3 was removed completely from Jenkins 2.214 and will not be part of Jenkins LTS after the end of the 2.204.x line.
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "org.jenkins-ci.main:jenkins-core" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "2.204.2" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.jenkins-ci.main:jenkins-core" }, "ranges": [ { "events": [ { "introduced": "2.205" }, { "fixed": "2.214" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2020-2099" ], "database_specific": { "cwe_ids": [ "CWE-323", "CWE-330" ], "github_reviewed": true, "github_reviewed_at": "2022-12-16T22:56:05Z", "nvd_published_at": "2020-01-29T16:15:00Z", "severity": "HIGH" }, "details": "Jenkins 2.213 and earlier, LTS 2.204.1 and earlier includes support for the Inbound TCP Agent Protocol/3 for communication between controller and agents. While [this protocol has been deprecated in 2018](https://www.jenkins.io/changelog-old/#v2.128) and was recently removed from Jenkins in 2.214, it could still easily be enabled in Jenkins LTS 2.204.1, 2.213, and older.\n\nThis protocol incorrectly reuses encryption parameters which allow an unauthenticated remote attacker to determine the connection secret. This secret can then be used to connect attacker-controlled Jenkins agents to the Jenkins controller.\n\nJenkins 2.204.2 no longer allows for the use of Inbound TCP Agent Protocol/3 by default. The system property `jenkins.slaves.JnlpSlaveAgentProtocol3.ALLOW_UNSAFE` can be set to `true` to allow enabling the Inbound TCP Agent Protocol/3 in Jenkins 2.204.2, but doing so is strongly discouraged.\n\nInbound TCP Agent Protocol/3 was removed completely from Jenkins 2.214 and will not be part of Jenkins LTS after the end of the 2.204.x line.", "id": "GHSA-qp4f-2w67-c8hw", "modified": "2022-12-16T22:56:05Z", "published": "2022-05-24T17:07:40Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2099" }, { "type": "WEB", "url": "https://github.com/jenkinsci/jenkins/commit/5054bc6e12e1022993d719f66e289ab1d22ae854" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHBA-2020:0402" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHBA-2020:0675" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0681" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2020:0683" }, { "type": "PACKAGE", "url": "https://github.com/jenkinsci/jenkins" }, { "type": "WEB", "url": "https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1682" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2020/01/29/1" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "type": "CVSS_V3" } ], "summary": "Inbound TCP Agent Protocol/3 authentication bypass in Jenkins" }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.