Base Score

HIGH8.6

CVE-2020-2099

Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents.

VectorNETWORK

Published Byjenkinsci-cert@googlegroups.com

Published DateJan 29, 2020, 16:15

Affected Versions(2)

org.jenkins-ci.main:jenkins-core(Maven)

Introduced0

Fixed2.204.2

LimitN/A

org.jenkins-ci.main:jenkins-core(Maven)

Introduced2.205

Fixed2.214

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.jenkins-ci.main:jenkins-core(Maven)	0	2.204.2	N/A
org.jenkins-ci.main:jenkins-core(Maven)	2.205	2.214	N/A

Weakness Type (CWE):CWE-330

CVSS Metrics

Base Score

8.6

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

LOW

Availability (A)

LOW

References

Base Score

HIGH8.6

Weakness Type (CWE):CWE-330

CVSS Metrics

Base Score

8.6

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

LOW

Availability (A)

LOW