Note:
This project will be discontinued after December 13, 2021. [more]
2020-01-29
Jenkins 2.213 and earlier, LTS 2.204.1 and earlier improperly reuses encryption key parameters in the Inbound TCP Agent Protocol/3, allowing unauthorized attackers with knowledge of agent names to obtain the connection secrets for those agents, which can be used to connect to Jenkins, impersonating those agents.
Products | Jenkins |
Type | Use of Insufficiently Random Values (CWE-330) |
First patch | - None (likely due to unavailable code) |
Links |
• http://www.openwall.com/lists/oss-security/2020/01/29/1
• https://access.redhat.com/errata/RHBA-2020:0675 • https://access.redhat.com/errata/RHSA-2020:0681 • https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1682 • https://access.redhat.com/errata/RHSA-2020:0683 |