Low severityNVD Advisory· Published Jan 15, 2020· Updated Aug 4, 2024

CVE-2020-2090

Description

A cross-site request forgery vulnerability in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:ec2Maven	< 1.48	1.48

Affected products

Jenkins Project/Jenkins Amazon Ec2 Pluginv5
Range: unspecified

Patches

0cdbaf2d7da5

[SECURITY-1004]

https://github.com/jenkinsci/ec2-pluginFrancisco Javier Fernandez GonzalezJan 9, 2020via ghsa

commit

3 files changed · +9 −0

src/main/java/hudson/plugins/ec2/AmazonEC2Cloud.java+3 −0 modified

@@ -52,6 +52,7 @@
 import com.amazonaws.services.ec2.AmazonEC2;
 import com.amazonaws.services.ec2.model.DescribeRegionsResult;
 import com.amazonaws.services.ec2.model.Region;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 /**
  * The original implementation of {@link EC2Cloud}.
@@ -197,6 +198,7 @@ URL determineEC2EndpointURL(@Nullable String altEC2Endpoint) throws MalformedURL
             return new URL(altEC2Endpoint);
         }
 
+        @RequirePOST
         public FormValidation doTestConnection(
                 @QueryParameter String region,
                 @QueryParameter boolean useInstanceProfileForCredentials,
@@ -214,6 +216,7 @@ public FormValidation doTestConnection(
             return super.doTestConnection(getEc2EndpointUrl(region), useInstanceProfileForCredentials, credentialsId, privateKey, roleArn, roleSessionName, region);
         }
 
+        @RequirePOST
         public FormValidation doGenerateKey(StaplerResponse rsp, @QueryParameter String region, @QueryParameter boolean useInstanceProfileForCredentials, @QueryParameter String credentialsId, @QueryParameter String roleArn, @QueryParameter String roleSessionName)
                 throws IOException, ServletException {
             return super.doGenerateKey(rsp, getEc2EndpointUrl(region), useInstanceProfileForCredentials, credentialsId, roleArn, roleSessionName, region);

src/main/java/hudson/plugins/ec2/EC2Cloud.java+3 −0 modified

@@ -69,6 +69,7 @@
 import hudson.Extension;
 import hudson.model.PeriodicWork;
 import hudson.model.TaskListener;
+import hudson.security.Permission;
 import hudson.util.ListBoxModel;
 import jenkins.model.Jenkins;
 import jenkins.model.JenkinsLocationConfiguration;
@@ -933,6 +934,7 @@ public FormValidation doCheckPrivateKey(@QueryParameter String value) throws IOE
 
         protected FormValidation doTestConnection(URL ec2endpoint, boolean useInstanceProfileForCredentials, String credentialsId, String privateKey, String roleArn, String roleSessionName, String region)
                 throws IOException, ServletException {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             try {
                 AWSCredentialsProvider credentialsProvider = createCredentialsProvider(useInstanceProfileForCredentials, credentialsId, roleArn, roleSessionName, region);
                 AmazonEC2 ec2 = AmazonEC2Factory.getInstance().connect(credentialsProvider, ec2endpoint);
@@ -959,6 +961,7 @@ protected FormValidation doTestConnection(URL ec2endpoint, boolean useInstancePr
 
         public FormValidation doGenerateKey(StaplerResponse rsp, URL ec2EndpointUrl, boolean useInstanceProfileForCredentials, String credentialsId, String roleArn, String roleSessionName, String region)
                 throws IOException, ServletException {
+            Jenkins.get().checkPermission(Jenkins.ADMINISTER);
             try {
                 AWSCredentialsProvider credentialsProvider = createCredentialsProvider(useInstanceProfileForCredentials, credentialsId, roleArn, roleSessionName, region);
                 AmazonEC2 ec2 = AmazonEC2Factory.getInstance().connect(credentialsProvider, ec2EndpointUrl);

src/main/java/hudson/plugins/ec2/Eucalyptus.java+3 −0 modified

@@ -35,6 +35,7 @@
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerResponse;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 /**
  * Eucalyptus.
@@ -71,12 +72,14 @@ public String getDisplayName() {
         }
 
         @Override
+        @RequirePOST
         public FormValidation doTestConnection(@QueryParameter URL ec2endpoint, @QueryParameter boolean useInstanceProfileForCredentials, @QueryParameter String credentialsId, @QueryParameter String privateKey, @QueryParameter String roleArn, @QueryParameter String roleSessionName, @QueryParameter String region)
                 throws IOException, ServletException {
             return super.doTestConnection(ec2endpoint, useInstanceProfileForCredentials, credentialsId, privateKey, roleArn, roleSessionName, region);
         }
 
         @Override
+        @RequirePOST
         public FormValidation doGenerateKey(StaplerResponse rsp, @QueryParameter URL url, @QueryParameter boolean useInstanceProfileForCredentials, @QueryParameter String credentialsId, @QueryParameter String roleArn, @QueryParameter String roleSessionName, @QueryParameter String region)
                 throws IOException, ServletException {
             return super.doGenerateKey(rsp, url, useInstanceProfileForCredentials, credentialsId, roleArn, roleSessionName, region);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-9hvf-pfq3-7pp6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-2090ghsaADVISORY
github.com/jenkinsci/ec2-plugin/commit/0cdbaf2d7da5c368209f427559c8608dec22a63bghsaWEB
jenkins.io/security/advisory/2020-01-15/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000