VYPR
← All advisories
Moderate severityNVD Advisory· Published Nov 4, 2020· Updated Aug 4, 2024

CVE-2020-2313

CVE-2020-2313

Description

A missing permission check in Jenkins Azure Key Vault Plugin 2.0 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Azure Key Vault Plugin 2.0 and earlier lacks a permission check, allowing attackers with Overall/Read permission to enumerate credential IDs stored in Jenkins.

Vulnerability

Jenkins Azure Key Vault Plugin versions 2.0 and earlier contain a missing permission check that allows attackers with the Overall/Read permission to enumerate credential IDs of credentials stored in Jenkins [1][4]. The plugin provides methods that build a list of credential items without proper authorization verification, enabling unauthorized access to credential metadata.

Exploitation

An attacker needs only the Overall/Read permission, which is a relatively low privilege level in Jenkins. By exploiting the missing @POST annotation and lack of permission checks on the doFillCredentialIDOverrideItems method, an attacker can trigger a credential enumeration [3]. The fix implemented in commit f09ed65 adds a @POST annotation and restricts the credential listing to a properly authorized method [3].

Impact

Successful exploitation allows an attacker to enumerate credentials IDs stored in Jenkins, which can serve as a stepping stone for further attacks, such as guessing or brute-forcing credential secrets. The plugin itself is used to fetch secrets from Azure Key Vault for build jobs [2].

Mitigation

Users should upgrade to Azure Key Vault Plugin version 2.1 or later, which includes the fix [1][4]. No workaround is provided for older versions, so updating is the recommended action.

References
  1. Jenkins Security Advisory 2020-11-04
  2. GitHub - jenkinsci/azure-keyvault-plugin: Jenkins plugin for Azure Keyvault
  3. SECURITY-2110 · jenkinsci/azure-keyvault-plugin@f09ed65
  4. NVD - CVE-2020-2313

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:azure-keyvaultMaven
< 2.12.1

Affected products

3

Patches

1
f09ed652cc57

SECURITY-2110

https://github.com/jenkinsci/azure-keyvault-pluginTim JacombNov 2, 2020via ghsa
commit
4 files changed · +25 23
  • src/main/java/org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultBuildWrapper.java+3 6 modified
    @@ -28,9 +28,7 @@
 import com.azure.identity.ClientSecretCredentialBuilder;
 import com.azure.security.keyvault.secrets.SecretClient;
 import com.azure.security.keyvault.secrets.models.KeyVaultSecret;
-import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
 import com.microsoft.azure.util.AzureCredentials;
-import com.microsoft.azure.util.AzureImdsCredentials;
 import hudson.EnvVars;
 import hudson.Extension;
 import hudson.FilePath;
@@ -40,7 +38,6 @@
 import hudson.model.Item;
 import hudson.model.Run;
 import hudson.model.TaskListener;
-import hudson.security.ACL;
 import hudson.tasks.BuildWrapperDescriptor;
 import hudson.util.ListBoxModel;
 import java.util.ArrayList;
@@ -54,6 +51,7 @@
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
+import org.kohsuke.stapler.verb.POST;
 
 import static hudson.Util.fixEmpty;
 import static java.lang.String.format;
@@ -288,10 +286,9 @@ public DescriptorImpl() {
         }
 
         @SuppressWarnings("unused")
+        @POST
         public ListBoxModel doFillCredentialIDOverrideItems(@AncestorInPath Item context) {
-            return new StandardListBoxModel().includeEmptyValue()
-                    .includeAs(ACL.SYSTEM, context, AzureImdsCredentials.class)
-                    .includeAs(ACL.SYSTEM, context, AzureCredentials.class);
+            return AzureKeyVaultUtil.doFillCredentialIDItems(context);
         }
 
         @Override
  • src/main/java/org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultGlobalConfiguration.java+1 11 modified
    @@ -6,14 +6,12 @@
 import com.cloudbees.plugins.credentials.CredentialsScope;
 import com.cloudbees.plugins.credentials.SystemCredentialsProvider;
 import com.cloudbees.plugins.credentials.common.IdCredentials;
-import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
 import com.microsoft.azure.util.AzureBaseCredentials;
 import com.microsoft.azure.util.AzureCredentials;
 import com.microsoft.azure.util.AzureImdsCredentials;
 import hudson.Extension;
 import hudson.ExtensionList;
 import hudson.model.Item;
-import hudson.security.ACL;
 import hudson.util.FormValidation;
 import hudson.util.ListBoxModel;
 import java.io.IOException;
@@ -227,15 +225,7 @@ public FormValidation doTestConnection(
     @POST
     @SuppressWarnings("unused")
     public ListBoxModel doFillCredentialIDItems(@AncestorInPath Item context) {
-        if (context == null && !Jenkins.get().hasPermission(Jenkins.ADMINISTER) ||
-                context != null && !context.hasPermission(Item.EXTENDED_READ)) {
-            return new StandardListBoxModel();
-        }
-
-        return new StandardListBoxModel()
-                .includeEmptyValue()
-                .includeAs(ACL.SYSTEM, context, AzureCredentials.class)
-                .includeAs(ACL.SYSTEM, context, AzureImdsCredentials.class);
+        return AzureKeyVaultUtil.doFillCredentialIDItems(context);
     }
 
     public static AzureKeyVaultGlobalConfiguration get() {
  • src/main/java/org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultStep.java+3 6 modified
    @@ -3,18 +3,15 @@
 import com.azure.core.credential.TokenCredential;
 import com.azure.security.keyvault.secrets.SecretClient;
 import com.azure.security.keyvault.secrets.models.KeyVaultSecret;
-import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
 import com.google.common.collect.ImmutableSet;
 import com.microsoft.azure.util.AzureCredentials;
-import com.microsoft.azure.util.AzureImdsCredentials;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.Extension;
 import hudson.FilePath;
 import hudson.Util;
 import hudson.console.ConsoleLogFilter;
 import hudson.model.Item;
 import hudson.model.Run;
-import hudson.security.ACL;
 import hudson.util.ListBoxModel;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
@@ -38,6 +35,7 @@
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
+import org.kohsuke.stapler.verb.POST;
 
 import static java.lang.String.format;
 import static java.util.Objects.requireNonNull;
@@ -216,10 +214,9 @@ public String getDisplayName() {
         }
 
         @SuppressWarnings("unused")
+        @POST
         public ListBoxModel doFillCredentialIDItems(@AncestorInPath Item context) {
-            return new StandardListBoxModel().includeEmptyValue()
-                    .includeAs(ACL.SYSTEM, context, AzureImdsCredentials.class)
-                    .includeAs(ACL.SYSTEM, context, AzureCredentials.class);
+            return AzureKeyVaultUtil.doFillCredentialIDItems(context);
         }
 
         /**
  • src/main/java/org/jenkinsci/plugins/azurekeyvaultplugin/AzureKeyVaultUtil.java+18 0 modified
    @@ -24,7 +24,13 @@
 

 package org.jenkinsci.plugins.azurekeyvaultplugin;

 

+import com.cloudbees.plugins.credentials.common.StandardListBoxModel;

+import com.microsoft.azure.util.AzureCredentials;

+import com.microsoft.azure.util.AzureImdsCredentials;

 import hudson.FilePath;

+import hudson.model.Item;

+import hudson.security.ACL;

+import hudson.util.ListBoxModel;

 import java.io.ByteArrayInputStream;

 import java.io.IOException;

 import java.io.OutputStream;

@@ -35,6 +41,7 @@
 import java.security.cert.Certificate;

 import java.util.Enumeration;

 import javax.xml.bind.DatatypeConverter;

+import jenkins.model.Jenkins;

 

 class AzureKeyVaultUtil {

 

@@ -72,4 +79,15 @@ static String convertAndWritePfxToDisk(FilePath workspace, String secret)
         URI uri = outFile.toURI();

         return uri.getPath();

     }

+

+    public static ListBoxModel doFillCredentialIDItems(Item context) {

+        if (context == null && !Jenkins.get().hasPermission(Jenkins.ADMINISTER) ||

+                context != null && !context.hasPermission(Item.CONFIGURE)) {

+            return new StandardListBoxModel();

+        }

+

+        return new StandardListBoxModel().includeEmptyValue()

+                .includeAs(ACL.SYSTEM, context, AzureImdsCredentials.class)

+                .includeAs(ACL.SYSTEM, context, AzureCredentials.class);

+    }

 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

1