CVE-2020-2148
Description
A missing permission check in Jenkins Mac Plugin 1.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2020-2148 is a missing permission check in Jenkins Mac Plugin 1.1.0 and earlier that allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials.
Vulnerability
Overview
CVE-2020-2148 is a missing permission check vulnerability in the Jenkins Mac Plugin versions 1.1.0 and earlier [1]. The plugin fails to properly verify that a user has the necessary permissions before allowing them to configure SSH connections. This flaw enables an attacker with only Overall/Read permission to connect to an arbitrary SSH server controlled by the attacker, using attacker-specified credentials [1][2].
Exploitation
An attacker must have Overall/Read permission on the Jenkins instance, which is typically a low-privilege permission granted to many users. No additional authentication is required beyond that. The attacker can then manipulate the plugin's configuration to point to an external SSH server they control, specifying credentials they choose [1]. This attack can be carried out remotely without any special network position, as long as the attacker can reach the Jenkins UI or API [4].
Impact
Successful exploitation allows the attacker to establish an outbound SSH connection from the Jenkins controller to a server under their control. This could be used to exfiltrate data, perform reconnaissance on internal networks, or serve as a pivot point for further attacks. The attacker gains the ability to run commands or transfer files as the Jenkins process, potentially leading to a full compromise of the Jenkins environment [1][4].
Mitigation
The vulnerability is fixed in Mac Plugin version 1.2.0, which adds proper permission checks [2]. Users should update to this version immediately. No workarounds are documented; restricting Overall/Read permissions may reduce exposure but does not fully mitigate the issue. The plugin is part of the Jenkins ecosystem and is not known to be exploited in the wild as of the advisory date [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fr.edf.jenkins.plugins:macMaven | < 1.2.0 | 1.2.0 |
Affected products
3- Range: <=1.1.0
- Range: unspecified
Patches
12 files changed · +21 −6
src/main/java/fr/edf/jenkins/plugins/mac/MacHost.groovy+2 −6 modified@@ -1,5 +1,6 @@ package fr.edf.jenkins.plugins.mac +import org.acegisecurity.AccessDeniedException import org.apache.commons.lang.StringUtils import org.kohsuke.stapler.AncestorInPath import org.kohsuke.stapler.DataBoundConstructor @@ -224,12 +225,7 @@ class MacHost implements Describable<MacHost> { */ @POST public FormValidation doCheckKey(@QueryParameter String key) { - try { - MacHostKeyVerifier.parseKey(key) - return FormValidation.ok() - } catch (MacHostKeyVerifierException|IllegalArgumentException ex) { - return FormValidation.error(ex.getMessage()) - } + return FormUtils.verifyHostKey(key) } } }
src/main/java/fr/edf/jenkins/plugins/mac/util/FormUtils.groovy+19 −0 modified@@ -4,6 +4,7 @@ import static com.cloudbees.plugins.credentials.CredentialsMatchers.anyOf import static com.cloudbees.plugins.credentials.CredentialsMatchers.instanceOf import static com.cloudbees.plugins.credentials.domains.URIRequirementBuilder.fromUri +import org.acegisecurity.AccessDeniedException import org.antlr.v4.runtime.misc.NotNull import org.jenkinsci.plugins.plaincredentials.FileCredentials import org.kohsuke.accmod.Restricted @@ -18,6 +19,7 @@ import fr.edf.jenkins.plugins.mac.Messages import fr.edf.jenkins.plugins.mac.ssh.SSHCommand import fr.edf.jenkins.plugins.mac.ssh.connection.SSHGlobalConnectionConfiguration import fr.edf.jenkins.plugins.mac.ssh.key.verifiers.MacHostKeyVerifier +import fr.edf.jenkins.plugins.mac.ssh.key.verifiers.MacHostKeyVerifierException import hudson.model.Item import hudson.model.ModelObject import hudson.security.ACL @@ -94,6 +96,7 @@ class FormUtils { static FormValidation verifyConnection(final String host, final Integer port, final String credentialsId, final String key, final ModelObject context) { try { + Jenkins.get().checkPermission(Jenkins.ADMINISTER) MacHostKeyVerifier verifier = new MacHostKeyVerifier(key) String result = SSHCommand.checkConnection(new SSHGlobalConnectionConfiguration(credentialsId: credentialsId, port: port, context: context, host: host, connectionTimeout: 30, @@ -160,4 +163,20 @@ class FormUtils { fromUri(getUri(Jenkins.get().getRootUrl()).toString()).build(), anyOf(instanceOf(FileCredentials))) } + + /** + * Check the validity of the given key + * @param key + * @return ok if valid, error with exception message if not + */ + @Restricted(NoExternalUse) + static FormValidation verifyHostKey(String key) { + try { + Jenkins.get().checkPermission(Jenkins.ADMINISTER) + MacHostKeyVerifier.parseKey(key) + return FormValidation.ok() + } catch (MacHostKeyVerifierException|IllegalArgumentException|AccessDeniedException ex) { + return FormValidation.error(ex.getMessage()) + } + } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-2m74-x26c-g7xcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2148ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/03/09/1ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/mac-plugin/commit/86aebd3d33526d83d6cbc9aef7fb1f4831fb1805ghsaWEB
- jenkins.io/security/advisory/2020-03-09/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-03-09Jenkins Security Advisories · Mar 9, 2020