VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 15, 2020· Updated Aug 4, 2024

CVE-2020-2093

CVE-2020-2093

Description

A CSRF vulnerability in Jenkins Health Advisor by CloudBees Plugin allows an attacker to send arbitrary emails to attacker-specified recipients.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A CSRF vulnerability in Jenkins Health Advisor by CloudBees Plugin allows an attacker to send arbitrary emails to attacker-specified recipients.

Vulnerability

Analysis

CVE-2020-2093 is a cross-site request forgery (CSRF) vulnerability in the Jenkins Health Advisor by CloudBees Plugin, versions 3.0 and earlier [1]. The plugin includes a doTestSendEmail method that does not enforce POST requests, leaving it open to CSRF attacks [1][4]. Additionally, this method lacks proper permission checks, allowing users with limited access to trigger the endpoint [1][4].

Exploitation

An attacker can craft a malicious web page or link that, when visited by an authenticated Jenkins user, silently submits a forged request to the vulnerable endpoint [1]. The attack requires the victim to have at least overall read access on the Jenkins instance and to be currently authenticated [1]. No other special privileges are needed because the permission check was absent [4].

Impact

Successful exploitation enables the attacker to send an email with fixed content to any attacker-specified email address [1]. The email content is predetermined by the attacker and cannot be modified. This could be used for phishing, spam, or to send misleading messages to administrators or other parties, potentially aiding in social engineering or further attacks.

Mitigation

The vulnerability is fixed in Jenkins Health Advisor by CloudBees Plugin version 3.1 and later [1]. The fix adds @POST annotation to require POST requests and a call to Jenkins.get().checkPermission(Jenkins.ADMINISTER) to enforce administrator-level permission [4]. Users should upgrade to the latest version immediately. No workaround is currently available, and the plugin is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.

References
  1. Jenkins Security Advisory 2020-01-15
  2. [SECURITY-1708] · jenkinsci/cloudbees-jenkins-advisor-plugin@f53fe8a

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:cloudbees-jenkins-advisorMaven
< 3.0.13.0.1

Affected products

2

Patches

1
f53fe8a41a15

[SECURITY-1708]

https://github.com/jenkinsci/cloudbees-jenkins-advisor-pluginArnaud HéritierJan 9, 2020via ghsa
commit
2 files changed · +7 0
  • src/main/java/com/cloudbees/jenkins/plugins/advisor/AdvisorGlobalConfiguration.java+3 0 modified
    @@ -32,6 +32,7 @@
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.interceptor.RequirePOST;
+import org.kohsuke.stapler.verb.POST;
 
 import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
@@ -394,8 +395,10 @@ public FormValidation doCheckEmail(@QueryParameter String value) {
       return EmailValidator.validateEmail(value);
     }
     
+    @POST
     public FormValidation doTestSendEmail(@QueryParameter("email") final String value,
                                           @QueryParameter("acceptToS") final boolean acceptToS) {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER);
       return EmailValidator.testSendEmail(value,acceptToS);
     }
  • src/main/java/com/cloudbees/jenkins/plugins/advisor/client/model/Recipient.java+4 0 modified
    @@ -6,8 +6,10 @@
 import hudson.model.AbstractDescribableImpl;
 import hudson.model.Descriptor;
 import hudson.util.FormValidation;
+import jenkins.model.Jenkins;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.verb.POST;
 
 public class Recipient extends AbstractDescribableImpl<Recipient> {
 
@@ -40,8 +42,10 @@ public FormValidation doCheckEmail(@QueryParameter String value) {
       return EmailValidator.validateEmail(value);
     }
 
+    @POST
     public FormValidation doTestSendEmail(@QueryParameter("email") final String value,
                                           @RelativePath("..") @QueryParameter("acceptToS") final boolean acceptToS) {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER);
       return EmailValidator.testSendEmail(value, acceptToS);
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

1