CVE-2020-2147
Description
A cross-site request forgery vulnerability in Jenkins Mac Plugin 1.1.0 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Mac Plugin 1.1.0 and earlier allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials via CSRF.
Vulnerability
Overview CVE-2020-2147 is a cross-site request forgery (CSRF) vulnerability in the Jenkins Mac Plugin, affecting versions 1.1.0 and earlier. The plugin allows users to configure Mac agents via SSH, but fails to perform a proper CSRF check when establishing connections [1]. This means that an attacker can trick an authenticated Jenkins user into sending a crafted request that makes the plugin connect to an attacker-controlled SSH server using credentials supplied by the attacker [2].
Exploitation
Exploitation requires that the victim has at least Overall/Read permission on the Jenkins instance and is authenticated at the time of the attack. The attacker does not need any special privileges beyond crafting a malicious webpage or link that triggers the forged request [1]. Since no CSRF token is validated, the attack can be executed silently if the victim clicks a link or visits a compromised site while logged into Jenkins [2].
Impact
A successful CSRF attack allows the attacker to connect Jenkins to an arbitrary SSH server. This could be used to establish a foothold for further attacks, such as data exfiltration or lateral movement from the attacker-controlled server into the Jenkins environment [2]. While the attacker does not gain direct code execution on the Jenkins controller, the ability to manipulate agent connections undermines the integrity of the build infrastructure [1].
Mitigation
The vulnerability is fixed in version 1.2.0 of the Mac Plugin, released on 2020-03-09 as part of the Jenkins Security Advisory [1][3]. Users should upgrade to this version immediately. There is no workaround available other than disabling the plugin or applying the update [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fr.edf.jenkins.plugins:macMaven | < 1.2.0 | 1.2.0 |
Affected products
3- Range: <=1.1.0
- Range: unspecified
Patches
12 files changed · +21 −6
src/main/java/fr/edf/jenkins/plugins/mac/MacHost.groovy+2 −6 modified@@ -1,5 +1,6 @@ package fr.edf.jenkins.plugins.mac +import org.acegisecurity.AccessDeniedException import org.apache.commons.lang.StringUtils import org.kohsuke.stapler.AncestorInPath import org.kohsuke.stapler.DataBoundConstructor @@ -224,12 +225,7 @@ class MacHost implements Describable<MacHost> { */ @POST public FormValidation doCheckKey(@QueryParameter String key) { - try { - MacHostKeyVerifier.parseKey(key) - return FormValidation.ok() - } catch (MacHostKeyVerifierException|IllegalArgumentException ex) { - return FormValidation.error(ex.getMessage()) - } + return FormUtils.verifyHostKey(key) } } }
src/main/java/fr/edf/jenkins/plugins/mac/util/FormUtils.groovy+19 −0 modified@@ -4,6 +4,7 @@ import static com.cloudbees.plugins.credentials.CredentialsMatchers.anyOf import static com.cloudbees.plugins.credentials.CredentialsMatchers.instanceOf import static com.cloudbees.plugins.credentials.domains.URIRequirementBuilder.fromUri +import org.acegisecurity.AccessDeniedException import org.antlr.v4.runtime.misc.NotNull import org.jenkinsci.plugins.plaincredentials.FileCredentials import org.kohsuke.accmod.Restricted @@ -18,6 +19,7 @@ import fr.edf.jenkins.plugins.mac.Messages import fr.edf.jenkins.plugins.mac.ssh.SSHCommand import fr.edf.jenkins.plugins.mac.ssh.connection.SSHGlobalConnectionConfiguration import fr.edf.jenkins.plugins.mac.ssh.key.verifiers.MacHostKeyVerifier +import fr.edf.jenkins.plugins.mac.ssh.key.verifiers.MacHostKeyVerifierException import hudson.model.Item import hudson.model.ModelObject import hudson.security.ACL @@ -94,6 +96,7 @@ class FormUtils { static FormValidation verifyConnection(final String host, final Integer port, final String credentialsId, final String key, final ModelObject context) { try { + Jenkins.get().checkPermission(Jenkins.ADMINISTER) MacHostKeyVerifier verifier = new MacHostKeyVerifier(key) String result = SSHCommand.checkConnection(new SSHGlobalConnectionConfiguration(credentialsId: credentialsId, port: port, context: context, host: host, connectionTimeout: 30, @@ -160,4 +163,20 @@ class FormUtils { fromUri(getUri(Jenkins.get().getRootUrl()).toString()).build(), anyOf(instanceOf(FileCredentials))) } + + /** + * Check the validity of the given key + * @param key + * @return ok if valid, error with exception message if not + */ + @Restricted(NoExternalUse) + static FormValidation verifyHostKey(String key) { + try { + Jenkins.get().checkPermission(Jenkins.ADMINISTER) + MacHostKeyVerifier.parseKey(key) + return FormValidation.ok() + } catch (MacHostKeyVerifierException|IllegalArgumentException|AccessDeniedException ex) { + return FormValidation.error(ex.getMessage()) + } + } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-qcfq-35v7-4fw7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2147ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/03/09/1ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/mac-plugin/commit/86aebd3d33526d83d6cbc9aef7fb1f4831fb1805ghsaWEB
- jenkins.io/security/advisory/2020-03-09/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-03-09Jenkins Security Advisories · Mar 9, 2020