Description

Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents.

Remediation

References

CVE-2020-2099

Related Vulnerabilities

WebLogic CVE-2022-21548 Vulnerability (CVE-2022-21548)

Piwigo Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2017-10681)

Jboss EAP Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-3464)

WordPress Plugin Nofollow for external link Multiple Unspecified Vulnerabilities (1.1.2)

MediaWiki Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2015-8624)

Severity

High

Classification

CVE-2020-2099 CWE-330 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Tags

Missing Update Known Vulnerabilities