CVE-2020-2276

Vulnerability

Description

CVE-2020-2276 affects the Jenkins Selection tasks Plugin, which in versions 1.0 and earlier executes a user-specified program directly on the Jenkins controller [1][3]. The root cause is that the plugin does not sanitize or restrict the program parameter, allowing users to specify any command-line call [3].

Exploitation

To exploit this vulnerability, an attacker must have the Job/Configure permission in Jenkins [1][3]. This permission is typically granted to users who can configure jobs, such as developers or build managers. The attacker specifies an arbitrary system command (e.g., a shell command) as the program to execute within a job configuration [3]. No additional authentication or network position is required beyond the Jenkins credentials with that permission [1].

Impact

Successful exploitation allows the attacker to execute any command on the Jenkins controller, running with the same OS user privileges as the Jenkins process [1][3]. This could lead to full compromise of the Jenkins instance, including data exfiltration, installation of backdoors, or lateral movement within the network [1].

Mitigation

As of the advisory date (2020-09-16), the Selection tasks Plugin had not yet received a fix [1][2]. The Jenkins Security Advisory lists it among plugins with unresolved vulnerabilities [2]. Users are advised to either remove or disable the plugin if not strictly necessary, or ensure strict access controls limit Job/Configure permission [1][2].