Moderate severityNVD Advisory· Published Sep 23, 2020· Updated Aug 4, 2024

CVE-2020-2282

Description

Jenkins Implied Labels Plugin ≤0.6 lacks a permission check, letting attackers with Overall/Read reconfigure plugin.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Implied Labels Plugin ≤0.6 lacks a permission check, letting attackers with Overall/Read reconfigure plugin.

Vulnerability

Jenkins Implied Labels Plugin version 0.6 and earlier contains a missing permission check in an HTTP endpoint. The management link configuration page and its submission handler were not properly protected, allowing unprivileged users to access and modify plugin settings without the required Administrator permission. [1][2]

Exploitation

An attacker with only Overall/Read permission can reach the doConfigSubmit endpoint or the label-implications page. This is possible because the plugin's code lacked a checkPermission call and the UI layout did not enforce the ADMINISTER permission. A request to /label-implications would previously return the configuration page without authentication checks; with the fix, it properly returns a 403 Forbidden status for unauthorized users. [4]

Impact

Successful exploitation allows an attacker to alter the plugin's implied label configuration. This could cause nodes and agents to be mislabeled, potentially affecting job scheduling and build execution. The impact is limited to plugin configuration tampering, but could disrupt CI/CD pipelines or lead to unintended resource usage. [1][3]

Mitigation

The vulnerability was fixed in Implied Labels Plugin version 0.7. Users should upgrade immediately. No workaround is available; the plugin's permission model was corrected by adding a @POST annotation and an explicit permission check in the submission handler, as well as a permission guard in the UI layout. [3][4]

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:implied-labelsMaven	< 0.7	0.7

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/implied-labels
Range: < 0.7
Jenkins Project/Implied Labels Plugincpe-rescue
Range: unspecified

Patches

9a5d38f8056a

[SECURITY-2004]

https://github.com/jenkinsci/implied-labels-pluginOliver GondžaSep 18, 2020via ghsa

commit

3 files changed · +10 −7

src/main/java/org/jenkinsci/plugins/impliedlabels/Config.java+3 −2 modified

@@ -57,9 +57,9 @@
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
-import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import antlr.ANTLRException;
+import org.kohsuke.stapler.verb.POST;
 
 @Restricted(NoExternalUse.class)
 public class Config extends ManagementLink {
@@ -103,8 +103,9 @@ public String getUrlName() {
         return "label-implications";
     }
 
-    @RequirePOST
+    @POST
     public void doConfigSubmit(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
+        Jenkins.get().checkPermission(Jenkins.ADMINISTER);
         this.implications(req.bindJSONToList(
                 Implication.class, req.getSubmittedForm().get("impl")
         ));

src/main/resources/org/jenkinsci/plugins/impliedlabels/Config/index.jelly+1 −1 modified

@@ -46,7 +46,7 @@ THE SOFTWARE.
     </d:tag>
   </d:taglib>
 
-  <l:layout title="${it.displayName}">
+  <l:layout permission="${app.ADMINISTER}" title="${it.displayName}">
     <l:header />
     <l:side-panel>
       <l:tasks>

src/test/java/org/jenkinsci/plugins/impliedlabels/ConfigTest.java+6 −4 modified

@@ -163,13 +163,15 @@ private static Set<LabelAtom> labels(String... names) {
     @PresetData(DataSet.ANONYMOUS_READONLY)
     @Test public void notAuthorizedToConfigure() throws Exception {
         WebClient wc = j.createWebClient();
+        wc.getOptions().setPrintContentOnFailingStatusCode(false);
 
-        String content = wc.goTo("label-implications").asText();
-        assertThat(content, containsString(config.getDisplayName()));
-        assertThat(content, not(containsString("Password:")));
+        try {
+            wc.goTo("label-implications");
+        } catch (FailingHttpStatusCodeException ex) {
+            assertThat(ex.getStatusMessage(), equalTo("Forbidden"));
+        }
 
         try {
-            wc.getOptions().setPrintContentOnFailingStatusCode(false);
             wc.goTo("label-implications/configure");
         } catch (FailingHttpStatusCodeException ex) {
             assertThat(ex.getStatusMessage(), equalTo("Forbidden"));

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-5hw2-327v-vvr6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-2282ghsaADVISORY
www.openwall.com/lists/oss-security/2020/09/23/1ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/implied-labels-plugin/commit/9a5d38f8056a830ef075f379fa1b489c08f7000fghsaWEB
www.jenkins.io/security/advisory/2020-09-23/ghsax_refsource_CONFIRMWEB

News mentions

Jenkins Security Advisory 2020-09-23
Jenkins Security Advisories · Sep 23, 2020

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000