VYPR
← All advisories
Moderate severityNVD Advisory· Published Nov 4, 2020· Updated Aug 4, 2024

CVE-2020-2306

CVE-2020-2306

Description

A missing permission check in Jenkins Mercurial Plugin 2.11 and earlier allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:mercurialMaven
>= 2.11, < 2.122.12
org.jenkins-ci.plugins:mercurialMaven
>= 2.10, < 2.10.12.10.1
org.jenkins-ci.plugins:mercurialMaven
>= 2.9, < 2.9.12.9.1
org.jenkins-ci.plugins:mercurialMaven
< 2.8.12.8.1

Affected products

1

Patches

1
edd59db1eec7

[SECURITY-2104]

https://github.com/jenkinsci/mercurial-pluginJesse GlickOct 29, 2020via ghsa
commit
1 file changed · +9 1
  • src/main/java/hudson/plugins/mercurial/traits/MercurialInstallationSCMSourceTrait.java+9 1 modified
    @@ -27,6 +27,7 @@
 
 import hudson.Extension;
 import hudson.Util;
+import hudson.model.Item;
 import hudson.plugins.mercurial.MercurialInstallation;
 import hudson.plugins.mercurial.MercurialSCM;
 import hudson.plugins.mercurial.MercurialSCMBuilder;
@@ -36,13 +37,15 @@
 import hudson.util.ListBoxModel;
 import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
+import jenkins.model.Jenkins;
 import jenkins.scm.api.SCMSource;
 import jenkins.scm.api.trait.SCMBuilder;
 import jenkins.scm.api.trait.SCMSourceContext;
 import jenkins.scm.api.trait.SCMSourceTrait;
 import jenkins.scm.api.trait.SCMSourceTraitDescriptor;
 import org.kohsuke.accmod.Restricted;
 import org.kohsuke.accmod.restrictions.NoExternalUse;
+import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 
 /**
@@ -177,8 +180,13 @@ public Class<? extends SCMSource> getSourceClass() {
          * @return the list of {@link MercurialInstallation} items.
          */
         @Restricted(NoExternalUse.class) // stapler
-        public ListBoxModel doFillInstallationItems() {
+        public ListBoxModel doFillInstallationItems(@AncestorInPath Item context) {
             ListBoxModel result = new ListBoxModel();
+            if (context == null ?
+                    !Jenkins.get().hasPermission(Jenkins.ADMINISTER) :
+                    !context.hasPermission(Item.EXTENDED_READ)) {
+                return result;
+            }
             for (MercurialInstallation i: MercurialInstallation.allInstallations()) {
                 if (i.isUseCaches()) {
                     result.add(i.getName());

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.