CVE-2020-2272
Description
Missing permission check in Jenkins ElasTest Plugin allows attackers with Overall/Read to connect to attacker-specified URLs using attacker credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing permission check in Jenkins ElasTest Plugin allows attackers with Overall/Read to connect to attacker-specified URLs using attacker credentials.
Vulnerability
The Jenkins ElasTest Plugin versions 1.2.1 and earlier lack a permission check when connecting to external URLs. This allows any user with Overall/Read permission to trigger the plugin to connect to an attacker-specified URL using attacker-supplied credentials [1][2].
Exploitation
An attacker must have at least Overall/Read permission on a Jenkins instance, which is typically granted to low-privileged users. With that permission, the attacker can craft a request that causes the plugin to initiate a connection to any URL, including internal or external systems, using credentials of the attacker's choice. No other permissions are required.
Impact
Successful exploitation could allow an attacker to probe internal network resources, exfiltrate data, or perform other actions by leveraging the Jenkins server's network position. Since the plugin uses the attacker-provided credentials, it could also be used to attempt login on other services.
Mitigation
As of the advisory publication on 2020-09-16, the vulnerability remains unresolved and no patched version has been released [1][2]. Administrators should restrict Overall/Read permission to trusted users as a workaround.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:elastestMaven | <= 1.2.1 | — |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-mr43-vf8q-q5f2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2272ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/09/16/3ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2020-09-16/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-09-16Jenkins Security Advisories · Sep 16, 2020