CVE-2020-2258
Description
Jenkins Health Advisor by CloudBees Plugin 3.2.0 and earlier fails to enforce permission checks on an HTTP endpoint, allowing attackers with Overall/Read access to view it.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Health Advisor by CloudBees Plugin 3.2.0 and earlier fails to enforce permission checks on an HTTP endpoint, allowing attackers with Overall/Read access to view it.
Vulnerability
Overview CVE-2020-2258 affects the Jenkins Health Advisor by CloudBees Plugin version 3.2.0 and earlier. The plugin fails to correctly perform a permission check on an HTTP endpoint, meaning that any user with the Overall/Read permission can access that endpoint without further authorization [1][3].
Exploitation
An attacker who has already obtained Overall/Read permission on a Jenkins instance (a relatively low privilege) can exploit this flaw by simply sending a request to the vulnerable HTTP endpoint. No additional authentication or privileges are required beyond that basic access [1][2].
Impact
By viewing the HTTP endpoint, an attacker may gain access to information that should be restricted. The exact nature of the exposed data is not detailed in the advisory, but the lack of proper authorization could lead to information disclosure [1][3].
Mitigation
The vulnerability is fixed in Health Advisor by CloudBees Plugin version 3.2.1, released on September 16, 2020 [2]. Users are advised to upgrade to this version or later. No workarounds are mentioned in the available references.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:cloudbees-jenkins-advisorMaven | < 3.2.1 | 3.2.1 |
Affected products
2- Range: unspecified
Patches
190f693a4b9fc[SECURITY-1998]
1 file changed · +1 −1
src/main/resources/com/cloudbees/jenkins/plugins/advisor/AdvisorGlobalConfiguration/index.jelly+1 −1 modified@@ -1,7 +1,7 @@ <?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:l="/lib/layout" xmlns:f="/lib/form" xmlns:a="/lib/advisor"> - <l:layout title="${it.actionTitleText}" norefresh="true" permission="${it.ADMINISTRATOR}"> + <l:layout title="${it.actionTitleText}" norefresh="true" permission="${app.ADMINISTER}"> <l:header> <link rel="stylesheet" href="${resURL}/css/font-awesome/css/font-awesome.min.css"/>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-c445-xm3f-hmfhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2258ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/09/16/3ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/cloudbees-jenkins-advisor-plugin/commit/90f693a4b9fc60292463ecd7aa06c2c53d9dea30ghsaWEB
- www.jenkins.io/security/advisory/2020-09-16/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-09-16Jenkins Security Advisories · Sep 16, 2020