CVE-2020-2117

2020-02-1215:15:13

Google

osv.dev

6.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.3%

JSON

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CPENameOperatorVersion
pipeline-githubnotify-step-plugineqpipeline-githubnotify-step-1.0.0
pipeline-githubnotify-step-plugineqpipeline-githubnotify-step-1.0.4
pipeline-githubnotify-step-plugineqpipeline-githubnotify-step-1.0.1
pipeline-githubnotify-step-plugineqpipeline-githubnotify-step-1.0.3
pipeline-githubnotify-step-plugineqpipeline-githubnotify-step-1.0.2

Name	Operator	Version
pipeline-githubnotify-step-plugin	eq	pipeline-githubnotify-step-1.0.0
pipeline-githubnotify-step-plugin	eq	pipeline-githubnotify-step-1.0.4
pipeline-githubnotify-step-plugin	eq	pipeline-githubnotify-step-1.0.1
pipeline-githubnotify-step-plugin	eq	pipeline-githubnotify-step-1.0.3
pipeline-githubnotify-step-plugin	eq	pipeline-githubnotify-step-1.0.2