Memory usage graphs accessible to anyone with Overall/Read
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
Details
Jenkins includes a feature that shows a JVM memory usage chart for the Jenkins controller. Access to the chart in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier requires no permissions beyond the general Overall/Read, allowing users who are not administrators to view JVM memory usage data. Jenkins 2.219, LTS 2.204.2 now requires Overall/Administer permissions to view the JVM memory usage chart.
The fix
[SECURITY-1650]
core/src/main/java/hudson/diagnosis/MemoryUsageMonitor.java+2 −0
@@ -39,6 +39,7 @@import java.util.ArrayList;import java.io.IOException;+import jenkins.model.Jenkins;import org.jenkinsci.Symbol;import org.kohsuke.stapler.QueryParameter;@@ -102,6 +103,7 @@ private void update() {* Generates the memory usage statistics graph.*/public TrendChart doGraph(@QueryParameter String type) throws IOException {+Jenkins.get().checkPermission(Jenkins.ADMINISTER);return MultiStageTimeSeries.createTrendChart(TimeScale.parse(type),used,max);}}
References
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-2104
- WEBhttps://github.com/jenkinsci/jenkins/commit/7d44836fad0f49341ae2a61de06dbb556014a2df
- WEBhttps://access.redhat.com/errata/RHBA-2020:0402
- WEBhttps://access.redhat.com/errata/RHBA-2020:0675
- WEBhttps://access.redhat.com/errata/RHSA-2020:0681
- WEBhttps://access.redhat.com/errata/RHSA-2020:0683
- PACKAGEhttps://github.com/jenkinsci/jenkins
- WEBhttps://jenkins.io/security/advisory/2020-01-29/#SECURITY-1650
- WEBhttp://www.openwall.com/lists/oss-security/2020/01/29/1