[java-sig-commits] [Bug 1797080] New: CVE-2020-2099 jenkins: Inbound TCP Agent Protocol/3 authentication bypass

31 Jan 2020


      https://bugzilla.redhat.com/show_bug.cgi?id=1797080
Bug ID: 1797080
           Summary: CVE-2020-2099 jenkins: Inbound TCP Agent Protocol/3
                    authentication bypass
           Product: Security Response
          Hardware: All
                OS: Linux
            Status: NEW
         Component: vulnerability
          Keywords: Security
          Severity: medium
          Priority: medium
          Assignee: security-response-team@redhat.com
          Reporter: psampaio@redhat.com
                CC: abenaiss@redhat.com, adam.kaplan@redhat.com,
                    aos-bugs@redhat.com, bmontgom@redhat.com,
                    eparis@redhat.com, extras-orphan@fedoraproject.org,
                    java-sig-commits@lists.fedoraproject.org,
                    jburrell@redhat.com, jokerman@redhat.com,
                    mizdebsk@redhat.com, msrb@redhat.com,
                    nstielau@redhat.com, pbhattac@redhat.com,
                    sponnaga@redhat.com, vbobade@redhat.com,
                    wzheng@redhat.com
  Target Milestone: ---
    Classification: Other
Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption
key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized
attackers with knowledge of agent names to obtain the connection secrets for
those agents, which can be used to connect to Jenkins, impersonating those
agents.
References:
https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1682
http://www.openwall.com/lists/oss-security/2020/01/29/1
-- 
You are receiving this mail because:
You are on the CC list for the bug.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

[java-sig-commits] [Bug 1797080] New: CVE-2020-2099 jenkins: Inbound TCP Agent Protocol/3 authentication bypass