A vulnerability classified as problematic has been found in Jenkins up to 2.213/LTS 2.204.1 (Continuous Integration Software). Affected is some unknown processing of the component Inbound TCP Agent Protocol 3. The manipulation with an unknown input leads to a nonce re-use vulnerability (Key). CWE is classifying the issue as CWE-323. Nonces should be used for the present occasion and only once. This is going to have an impact on confidentiality. CVE summarizes:

Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents.

The weakness was released 01/29/2020 (oss-sec). The advisory is available at openwall.com. This vulnerability is traded as CVE-2020-2099 since 12/05/2019. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1600.001 by the MITRE ATT&CK project.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Entries connected to this vulnerability are available at 149527, 149528, 149529 and 149530.

Productinfo

Type

• Continuous Integration Software

Name

• Jenkins

Version

• 2.213
• LTS 2.204.0
• LTS 2.204.1

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion