VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 9, 2020· Updated Aug 4, 2024

CVE-2020-2142

CVE-2020-2142

Description

A missing permission check in Jenkins P4 Plugin 1.10.10 and earlier allows attackers with Overall/Read permission to trigger builds.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2020-2142: Jenkins P4 Plugin prior to 1.10.11 lacks authorization checks, allowing Overall/Read users to trigger builds.

Vulnerability

CVE-2020-2142 describes a missing permission check in the Jenkins P4 Plugin (Perforce Plugin) versions 1.10.10 and earlier. The plugin's endpoints for triggering builds did not properly verify that the user had the required Item/BUILD permission, only checking for Overall/Read permission. This means any authenticated user with the low-privilege 'Read' access could invoke build operations. [1][2]

Exploitation

An attacker with only Overall/Read permission can trigger builds by sending crafted requests to the plugin's doBuildSubmit and doBuild methods. The fix, as shown in the commit [3], adds the @POST annotation and explicit project.checkPermission(Item.BUILD) checks to these methods. No special network position or further authentication is required beyond having a Jenkins account with the baseline read permission. [3][4]

Impact

Successful exploitation allows an attacker to initiate builds on any job accessible to them, potentially consuming resources, altering build history, or interfering with the normal pipeline execution. Although the attacker cannot modify job configuration or execute arbitrary code, the ability to trigger builds can be used to degrade service or as part of a larger attack chain. [1][2]

Mitigation

The vulnerability is fixed in P4 Plugin version 1.10.11 [2]. Users should upgrade immediately. No workarounds are mentioned in the advisory. The issue was disclosed in the March 2020 Jenkins Security Advisory and is assigned CVE-2020-2142. [1][2][4]

References
  1. Jenkins Security Advisory 2020-03-09
  2. security - Multiple vulnerabilities in Jenkins plugins
  3. [SECURITY-1765] · jenkinsci/p4-plugin@2f2a31d
  4. NVD - CVE-2020-2142

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:p4Maven
< 1.10.111.10.11

Affected products

3

Patches

1
2f2a31d8d36d

[SECURITY-1765]

https://github.com/jenkinsci/p4-pluginPaul AllenMar 3, 2020via ghsa
commit
4 files changed · +27 7
  • src/main/java/org/jenkinsci/plugins/p4/review/ReviewAction.java+7 2 modified
    @@ -1,9 +1,9 @@
 package org.jenkinsci.plugins.p4.review;
 
-import hudson.model.AbstractProject;
 import hudson.model.Action;
 import hudson.model.Cause;
 import hudson.model.CauseAction;
+import hudson.model.Item;
 import hudson.model.Job;
 import hudson.model.ParameterDefinition;
 import hudson.model.ParameterValue;
@@ -17,6 +17,7 @@
 import net.sf.json.JSONObject;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
+import org.kohsuke.stapler.verb.POST;
 
 import javax.servlet.ServletException;
 import java.io.IOException;
@@ -67,17 +68,21 @@ public List<StringParameterValue> getAvailableParameters() {
 		return stringParameters;
 	}
 
+	@POST
 	public void doBuildSubmit(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
 
+		project.checkPermission(Item.BUILD);
+
 		JSONObject formData = req.getSubmittedForm();
 		if (!formData.isEmpty()) {
 			doBuild(req, rsp);
 		}
 	}
 
+	@POST
 	public void doBuild(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
 
-		project.checkPermission(AbstractProject.BUILD);
+		project.checkPermission(Item.BUILD);
 
 		List<ParameterValue> values = new ArrayList<ParameterValue>();
 		List<ParameterDefinition> defs = new ArrayList<ParameterDefinition>();
  • src/main/java/org/jenkinsci/plugins/p4/tagging/TagAction.java+3 1 modified
    @@ -23,6 +23,7 @@
 import org.jenkinsci.plugins.p4.workspace.Workspace;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
+import org.kohsuke.stapler.verb.POST;
 
 import javax.servlet.ServletException;
 import java.io.File;
@@ -84,6 +85,7 @@ public boolean isTagged() {
 		return tags != null && !tags.isEmpty();
 	}
 
+	@POST
 	public void doSubmit(StaplerRequest req, StaplerResponse rsp) throws Exception, ServletException {
 
 		getACL().checkPermission(PerforceScm.TAG);
@@ -274,7 +276,7 @@ public static List<P4Ref> getLastChange(Run<?, ?> run, TaskListener listener, St
 		// Fetch all syncIDs and check for duplicates JENKINS-55075
 		List<String> syncList = new ArrayList<>();
 		for (TagAction action : actions) {
-			if(syncList.contains(action.getSyncID())) {
+			if (syncList.contains(action.getSyncID())) {
 				listener.getLogger().println("WARNING: duplicate syncID found: " + action.getSyncID());
 				logger.severe("WARNING: duplicate syncID found: " + action.getSyncID());
 			}
  • src/main/java/org/jenkinsci/plugins/p4/trigger/P4Hook.java+16 3 modified
    @@ -2,6 +2,7 @@
 
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import hudson.Extension;
+import hudson.model.Item;
 import hudson.model.Job;
 import hudson.model.UnprotectedRootAction;
 import jenkins.model.Jenkins;
@@ -14,6 +15,7 @@
 import org.jenkinsci.plugins.p4.scm.events.P4BranchSCMHeadEvent;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
+import org.kohsuke.stapler.verb.POST;
 
 import javax.servlet.ServletException;
 import java.io.IOException;
@@ -24,6 +26,8 @@
 import java.util.concurrent.Executors;
 import java.util.logging.Logger;
 
+import static hudson.Functions.checkPermission;
+
 @Extension
 public class P4Hook implements UnprotectedRootAction {
 
@@ -46,8 +50,11 @@ public String getUrlName() {
 		return URLNAME;
 	}
 
+	@POST
 	public void doEvent(StaplerRequest req) throws ServletException, IOException {
 
+		checkPermission(Item.BUILD);
+
 		// exit early if no json
 		String contentType = req.getContentType();
 		if (contentType == null || !contentType.startsWith("application/json")) {
@@ -66,7 +73,11 @@ public void doEvent(StaplerRequest req) throws ServletException, IOException {
 		SCMHeadEvent.fireNow(new P4BranchSCMHeadEvent(eventType, payload, SCMEvent.originOf(req)));
 	}
 
-	public void doChange(StaplerRequest req) throws IOException {
+	@POST
+	public void doChange(StaplerRequest req) throws ServletException, IOException {
+
+		checkPermission(Item.BUILD);
+
 		String body = IOUtils.toString(req.getInputStream(), Charset.forName("UTF-8"));
 		String contentType = req.getContentType();
 		if (contentType != null && contentType.startsWith("application/json")) {
@@ -102,8 +113,10 @@ public void run() {
 		}
 	}
 
-	public void doChangeSubmit(StaplerRequest req, StaplerResponse rsp)
-			throws IOException, ServletException {
+	@POST
+	public void doChangeSubmit(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
+
+		checkPermission(Item.BUILD);
 
 		JSONObject formData = req.getSubmittedForm();
 		if (!formData.isEmpty()) {
  • src/main/resources/org/jenkinsci/plugins/p4/tagging/TagAction/tagForm.jelly+1 1 modified
    @@ -40,7 +40,7 @@
 
 			<p><b>Create a Perforce Automatic label:</b></p>
 			<p>The Label's view is based on the workspace used during the build and Revision is set to change number: ${it.buildChange}.</p>
-			<form action="submit" method="get" name="label">
+			<form action="submit" method="post" name="label">
 				<table border="0" width="640">
 					<tr>
 						<td nowrap="nowrap"><b>Label Name:</b> </td>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

1