CVE-2020-2198

Vulnerability

Description

The Project Inheritance Plugin for Jenkins, versions 19.08.02 and earlier, does not properly redact encrypted secrets when transmitting job configuration data through the getConfigAsXML API endpoint. The plugin exposes sensitive credentials embedded in config.xml files to users who lack the Job/Configure permission, bypassing expected access controls [1][2].

Exploitation

Conditions

An attacker with any level of Jenkins access that allows them to query the getConfigAsXML API can exploit this vulnerability. No special privileges beyond the ability to view job configurations are required, as the plugin fails to enforce redaction for encrypted secrets [2][3]. The attack vector is network-based and can be executed without authentication if the Jenkins instance permits unauthenticated API access, though the official advisory notes that the vulnerability is exploitable by users without Job/Configure permission [1].

Impact

Successful exploitation allows an attacker to retrieve encrypted secrets, such as passwords, API tokens, or other sensitive credentials stored in job configurations. These encrypted secrets, while stored in an encrypted form, could potentially be decrypted or reused depending on the Jenkins instance's security posture and other weaknesses [1][3]. This information disclosure undermines the confidentiality of credentials and could lead to further compromise of the Jenkins environment and connected systems.

Mitigation

Status

As of the advisory publication date (June 3, 2020), no patched version of the Project Inheritance Plugin was available. The vulnerability remains unresolved in the plugin [1][2]. Administrators are advised to restrict access to the getConfigAsXML API via Jenkins' authorization mechanisms, monitor for suspicious API calls, and consider using alternative plugins or configurations until a fix is released [1][3].