1880456 – (CVE-2020-2254) CVE-2020-2254 jenkins-2-plugins/blueocean: Path traversal vulnerability in Blue Ocean Plugin could allow to read arbitrary files

Bug 1880456 (CVE-2020-2254) - CVE-2020-2254 jenkins-2-plugins/blueocean: Path traversal vulnerability in Blue Ocean Plugin could allow to read arbitrary files

Summary: CVE-2020-2254 jenkins-2-plugins/blueocean: Path traversal vulnerability in Bl...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-2254
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1881477 1881478
Blocks:	1880461
TreeView+	depends on / blocked

Reported:	2020-09-18 15:33 UTC by Michael Kaplan
Modified:	2021-02-16 19:13 UTC (History)
CC List:	10 users (show)
Fixed In Version:	blueocean 1.23.3
Clone Of:
Environment:
Last Closed:	2020-10-27 20:21:45 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:4297	0	None	None	None	2020-10-27 14:53:53 UTC
Red Hat Product Errata	RHSA-2020:5102	0	None	None	None	2020-11-17 04:38:57 UTC

Description Michael Kaplan 2020-09-18 15:33:20 UTC

Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag, blueocean.features.GIT_READ_SAVE_TYPE, that when set to the value clone allows an attacker with Item/Configure or Item/Create permission to read arbitrary files on the Jenkins controller file system.

Comment 1 Michael Kaplan 2020-09-18 15:33:25 UTC

External References:

http://www.openwall.com/lists/oss-security/2020/09/16/3
https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1956

Comment 2 Przemyslaw Roguski 2020-09-22 13:42:52 UTC

In the jenkins-2-plugins package there is shipped the Blue Ocean Plugin in version 1.10.2 (in OpenShift 4.5 and 3.11).

Comment 4 errata-xmlrpc 2020-10-27 14:53:51 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:4297 https://access.redhat.com/errata/RHSA-2020:4297

Comment 5 Product Security DevOps Team 2020-10-27 20:21:45 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-2254

Comment 6 errata-xmlrpc 2020-11-17 04:38:56 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2020:5102 https://access.redhat.com/errata/RHSA-2020:5102

Note You need to log in before you can comment on or make changes to this bug.