CVE-2020-2320

描述

Jenkins Plugin Installation Manager Tool is part of the Jenkins project Docker images. As `jenkins-plugin-cli` it is used to download and install plugins even before Jenkins is running. Jenkins Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads. This may allow third parties such as mirror operators to provide crafted plugin downloads. Jenkins Plugin Installation Manager Tool 2.2.0 confirms that actual checksums of downloaded plugin match the expected checksums. Docker images of Jenkins 2.269 and 2.263.1 contain Plugin Installation Manager Tool 2.2.0. Users of older Docker images can change the version they use by extending the Jenkins image and update the tool themselves with: ARG PLUGIN_CLI_URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.2.0/jenkins-plugin-manager-2.2.0.jar RUN curl -fsSL ${PLUGIN_CLI_URL} -o /usr/lib/jenkins-plugin-manager.jar Jenkinsfile Runner [1.0-beta-22](https://github.com/jenkinsci/jenkinsfile-runner/releases/tag/1.0-beta-22) Docker images also include Plugin Installation Manager Tool 2.2.0.

如何修補 CVE-2020-2320

要修補 CVE-2020-2320,請將受影響套件升級到下列已修補版本。

• —升級至 2.2.0 或更新版本

CVE-2020-2320 正在被利用嗎?

低 — EPSS 為 0.4%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 2.2.0

CVSS 分數

參考連結(5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2320
• PATCHgithub.com/jenkinsci/plugin-installation-manager-tool
• WEBgithub.com/jenkinsci/plugin-installation-manager-tool/commit/dfc745c3a97a3fea74a3fe2e92d8a4440cbbf867
• WEBwww.jenkins.io/security/advisory/2020-12-03/#SECURITY-1856