CVE-2020-2093 — CSRF vulnerability in Health Advisor by CloudBees Plugin

描述

Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient. Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability. Health Advisor by CloudBees Plugin 3.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.

如何修補 CVE-2020-2093

要修補 CVE-2020-2093,請將受影響套件升級到下列已修補版本。

—升級至 3.0.1 或更新版本

CVE-2020-2093 正在被利用嗎?

低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 3.0.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

參考連結(4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2093
PATCHgithub.com/jenkinsci/cloudbees-jenkins-advisor-plugin
WEBgithub.com/jenkinsci/cloudbees-jenkins-advisor-plugin/commit/f53fe8a41a1566fdd7d2996779f6c5684ef3e2df
WEBjenkins.io/security/advisory/2020-01-15/#SECURITY-1708