CVE-2020-2260

Vulnerability

Overview

CVE-2020-2260 is a missing permission check in the Jenkins Perfecto Plugin versions 1.17 and earlier. The plugin is designed to integrate with Perfecto's testing services, but it fails to verify that the user initiating a connection has the necessary permissions beyond Overall/Read. This flaw allows any authenticated user with the low-privilege Overall/Read permission to trigger the plugin to connect to an attacker-specified HTTP URL using attacker-supplied credentials [1][2].

Exploitation

An attacker who has obtained Overall/Read access to a Jenkins instance can exploit this vulnerability by crafting a request that instructs the Perfecto Plugin to connect to a malicious or internal HTTP endpoint. No additional authentication or special privileges are required beyond the basic read access. The attacker can specify both the target URL and the credentials used for the connection, enabling them to direct the plugin to interact with arbitrary services [1][2].

Impact

Successful exploitation allows an attacker to use the Jenkins server as a proxy to connect to internal or external HTTP resources. This could lead to information disclosure, such as reading internal service responses, or facilitate further attacks like server-side request forgery (SSRF). The attacker-controlled credentials may also be used to authenticate to other services, potentially escalating the impact [1][2].

Mitigation

The vulnerability is fixed in Perfecto Plugin version 1.18, which adds the missing permission check [1][2]. As of May 2024, the plugin has been deprecated and will no longer receive maintenance or bug fixes; users are advised to migrate to alternative solutions such as Perfecto Connect pipelines [3].