CVE-2020-2311
Description
CVE-2020-2311 allows attackers with Overall/Read permission to overwrite global AWS configuration in Jenkins plugin <=1.5 due to missing permission check.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2020-2311 allows attackers with Overall/Read permission to overwrite global AWS configuration in Jenkins plugin <=1.5 due to missing permission check.
CVE-2020-2311 is a missing permission check vulnerability in the Jenkins AWS Global Configuration Plugin versions 1.5 and earlier [1]. The doConfigure method lacked proper authorization, allowing any user with the relatively low Overall/Read permission to replace the global AWS configuration settings [1][3].
Exploitation requires an attacker to have at least Overall/Read permission on the Jenkins instance, which is commonly granted to unprivileged users and often considered a safe default. The attacker can then send a crafted request to the doConfigure endpoint without needing administrator privileges [3]. The fix, applied in commit 783618f, adds a Jenkins.ADMINISTER permission check and changes the @RequirePOST annotation to @POST to ensure the endpoint is properly secured [3].
Successful exploitation allows an attacker to overwrite the global AWS configuration, potentially redirecting AWS credentials or endpoints to attacker-controlled services. This could lead to credential theft, data exfiltration, or further compromise of AWS resources accessed by Jenkins [1].
The vulnerability is fixed in AWS Global Configuration Plugin version 1.6, and users are strongly encouraged to upgrade [1]. There is no known workaround other than upgrading or restricting the Overall/Read permission to trusted users only.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jenkins.plugins:aws-global-configurationMaven | < 1.6 | 1.6 |
Affected products
2- Range: unspecified
Patches
1783618f98dcd[SECURITY-2101]
1 file changed · +3 −2
src/main/java/io/jenkins/plugins/aws/global_configuration/AwsManagementLink.java+3 −2 modified@@ -14,7 +14,7 @@ import org.jenkinsci.Symbol; import org.kohsuke.stapler.StaplerRequest; import org.kohsuke.stapler.StaplerResponse; -import org.kohsuke.stapler.interceptor.RequirePOST; +import org.kohsuke.stapler.verb.POST; import javax.annotation.CheckForNull; import javax.servlet.ServletException; @@ -61,8 +61,9 @@ public Descriptor<AwsManagementLink> getDescriptor() { return Jenkins.get().getDescriptorOrDie(AwsManagementLink.class); } - @RequirePOST + @POST public synchronized void doConfigure(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException, Descriptor.FormException { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); // for compatibility reasons, the actual value is stored in Jenkins BulkChange bc = new BulkChange(Jenkins.get()); try{
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-7v7g-mh53-89hwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2311ghsaADVISORY
- github.com/jenkinsci/aws-global-configuration-plugin/commit/783618f98dcda35cee978c54ed8760b9436f5210ghsaWEB
- www.jenkins.io/security/advisory/2020-11-04/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-11-04Jenkins Security Advisories · Nov 4, 2020