Jenkins Amazon EC2 Plugin 1.47 Cross-Site Request Forgery (CSRF) Vulnerability

Summary

Amazon EC2 Plugin 1.47 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

Credit:

The information has been provided by Ai Ho

The original article can be found at:https://jenkins.io/security/advisory/2020-01-15/#SECURITY-1004


Details

A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

 

Vulnerable Systems:

Jenkins Amazon EC2 Plugin 1.47

 

CVE Information:

CVE-2020-2090

 

Disclosure Timeline:
Published Date:1/15/2020

Categories: News