VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 15, 2020· Updated Aug 4, 2024

CVE-2020-2094

CVE-2020-2094

Description

A missing permission check in the Jenkins Health Advisor by CloudBees Plugin allows attackers with Overall/Read access to send a fixed email to an attacker-specific recipient.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing permission check in the Jenkins Health Advisor by CloudBees Plugin allows attackers with Overall/Read access to send a fixed email to an attacker-specific recipient.

Vulnerability

Details

The Jenkins Health Advisor by CloudBees Plugin, versions 3.0 and earlier, contains a missing permission check in its doTestSendEmail method. This method is responsible for sending a test email to a specified recipient. The vulnerability stems from the fact that this method did not verify whether the user had the required ADMINISTER permission before executing the email sending functionality [1][4].

Attack

Vector

An attacker with only Overall/Read permission on a Jenkins instance can exploit this flaw. By crafting a request to the doTestSendEmail endpoint, the attacker can trigger the plugin to send a fixed email to a recipient email address that the attacker controls. The attack does not require any additional authentication or special privileges beyond the basic read access [1][2]. The fix, implemented in the plugin's source code, adds both a @POST annotation and an explicit permission check: Jenkins.get().checkPermission(Jenkins.ADMINISTER) [4].

Impact

Successful exploitation allows the attacker to send a predefined email message to an email address of their choice. The content of the email is fixed by the plugin and cannot be modified by the attacker, but the action could be used for limited harassment, social engineering, or to test for valid email addresses on the Jenkins infrastructure. The CVSS score for this vulnerability is Medium (4.3) [1][3].

Mitigation

Users should upgrade the Jenkins Health Advisor by CloudBees Plugin to version 3.0.1 or later, which includes the missing permission check and enforces the ADMINISTER permission for the doTestSendEmail endpoint [1]. Administrators can also review and restrict Overall/Read permissions as a temporary workaround, though upgrading is the recommended solution.

References
  1. Jenkins Security Advisory 2020-01-15
  2. GitHub - jenkinsci/cloudbees-jenkins-advisor-plugin: Jenkins Health Advisor by CloudBees proactively notifies you of problems with your Jenkins-based environment.
  3. NVD - CVE-2020-2094
  4. [SECURITY-1708] · jenkinsci/cloudbees-jenkins-advisor-plugin@f53fe8a

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:cloudbees-jenkins-advisorMaven
< 3.0.13.0.1

Affected products

2

Patches

1
f53fe8a41a15

[SECURITY-1708]

https://github.com/jenkinsci/cloudbees-jenkins-advisor-pluginArnaud HéritierJan 9, 2020via ghsa
commit
2 files changed · +7 0
  • src/main/java/com/cloudbees/jenkins/plugins/advisor/AdvisorGlobalConfiguration.java+3 0 modified
    @@ -32,6 +32,7 @@
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.interceptor.RequirePOST;
+import org.kohsuke.stapler.verb.POST;
 
 import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
@@ -394,8 +395,10 @@ public FormValidation doCheckEmail(@QueryParameter String value) {
       return EmailValidator.validateEmail(value);
     }
     
+    @POST
     public FormValidation doTestSendEmail(@QueryParameter("email") final String value,
                                           @QueryParameter("acceptToS") final boolean acceptToS) {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER);
       return EmailValidator.testSendEmail(value,acceptToS);
     }
  • src/main/java/com/cloudbees/jenkins/plugins/advisor/client/model/Recipient.java+4 0 modified
    @@ -6,8 +6,10 @@
 import hudson.model.AbstractDescribableImpl;
 import hudson.model.Descriptor;
 import hudson.util.FormValidation;
+import jenkins.model.Jenkins;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.verb.POST;
 
 public class Recipient extends AbstractDescribableImpl<Recipient> {
 
@@ -40,8 +42,10 @@ public FormValidation doCheckEmail(@QueryParameter String value) {
       return EmailValidator.validateEmail(value);
     }
 
+    @POST
     public FormValidation doTestSendEmail(@QueryParameter("email") final String value,
                                           @RelativePath("..") @QueryParameter("acceptToS") final boolean acceptToS) {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER);
       return EmailValidator.testSendEmail(value, acceptToS);
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

1