Fluid Attacks Database

Description

Memory usage graphs accessible to anyone with Overall/Read Jenkins includes a feature that shows a JVM memory usage chart for the Jenkins controller.

Access to the chart in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier requires no permissions beyond the general Overall/Read, allowing users who are not administrators to view JVM memory usage data.

Jenkins 2.219, LTS 2.204.2 now requires Overall/Administer permissions to view the JVM memory usage chart.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jenkins-ci.main:jenkins-core	>=0 <2.204.2 \|\| >=2.205 <2.219	2.204.2, 2.219

Aliases

1. CVE-2020-21042. NVD-2020-21043. OSV-2020-21044. GCVE-2020-21045. access.redhat.com6. access.redhat.com7. access.redhat.com8. access.redhat.com

References

1. https://github.com/jenkinsci/jenkins/commit/7d44836fad0f49341ae2a61de06dbb556014a2df2. https://jenkins.io/security/advisory/2020-01-29/#SECURITY-16503. http://www.openwall.com/lists/oss-security/2020/01/29/1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.