Security context
Medium· 4.3GHSA-r78q-qgx6-64pp CVE-2020-2104CWE-285CWE-863Published May 24, 2022

Memory usage graphs accessible to anyone with Overall/Read

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

0 → fixed in 2.204.22.205 → fixed in 2.219

Details

Jenkins includes a feature that shows a JVM memory usage chart for the Jenkins controller. Access to the chart in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier requires no permissions beyond the general Overall/Read, allowing users who are not administrators to view JVM memory usage data. Jenkins 2.219, LTS 2.204.2 now requires Overall/Administer permissions to view the JVM memory usage chart.

The fix

[SECURITY-1650]

Daniel Beck· Jan 14, 2020, 11:08 AM+207d44836fad
core/src/main/java/hudson/diagnosis/MemoryUsageMonitor.java+2 0
@@ -39,6 +39,7 @@
import java.util.ArrayList;
import java.io.IOException;
+import jenkins.model.Jenkins;
import org.jenkinsci.Symbol;
import org.kohsuke.stapler.QueryParameter;
@@ -102,6 +103,7 @@ private void update() {
* Generates the memory usage statistics graph.
*/
public TrendChart doGraph(@QueryParameter String type) throws IOException {
+ Jenkins.get().checkPermission(Jenkins.ADMINISTER);
return MultiStageTimeSeries.createTrendChart(TimeScale.parse(type),used,max);
}
}

References