CVE-2020-2197

Vulnerability

CVE-2020-2197 in the Jenkins Project Inheritance Plugin (versions 19.08.02 and earlier) allows users to access Inheritance Project job configurations in XML format without needing the Job/ExtendedRead permission. The plugin fails to enforce proper permission checks for this specific endpoint, enabling unauthorized access to sensitive configuration data. [1][3]

Exploitation

An attacker with any access to the Jenkins instance—potentially even low-privilege users—can exploit this by requesting the XML representation of an Inheritance Project job. No special authentication or elevated privileges are required beyond what is already granted to access the Jenkins UI. The vulnerability is straightforward to exploit once the attacker can interact with the affected plugin's endpoints. [1][2]

Impact

Successful exploitation results in unauthorized disclosure of the entire job configuration, which may include credentials, API tokens, build parameters, and other sensitive settings embedded in the project. This information can be used to further compromise the Jenkins environment or integrated systems. The vulnerability is classified as medium severity (CVSS) but the actual impact depends on the sensitivity of data stored in job configurations. [1][3]

Mitigation

As of the advisory date, no fixed version of the Project Inheritance Plugin had been released; the vulnerability remained unresolved. Users are advised to restrict access to Jenkins and the affected plugin, or to consider removing or disabling the plugin if not essential. Later plugin versions (e.g., 21.04.03) still carried the vulnerability according to follow-up reports, so manual security controls or alternative plugins may be necessary. [1][2][4]