CVE-2020-2114 – The Jenkins S3 publisher Plugin versions 0.11.4... (How to Fix)

Q: What is the severity of CVE-2020-2114?

CVE-2020-2114 has a CVSS score of 7.5 (HIGH). The Jenkins S3 publisher Plugin versions 0.11.4 and earlier transmit AWS credentials in plain text within the global Jenkins configuration form. This allows attackers with access to Jenkins configuration pages to steal AWS credentials, potentially leading to unauthorized access to S3 buckets. Organizations using vulnerable versions of this plugin are affected.

📋 TL;DR

The Jenkins S3 publisher Plugin versions 0.11.4 and earlier transmit AWS credentials in plain text within the global Jenkins configuration form. This allows attackers with access to Jenkins configuration pages to steal AWS credentials, potentially leading to unauthorized access to S3 buckets. Organizations using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

Jenkins S3 publisher Plugin

Versions: 0.11.4 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any Jenkins instance with the S3 publisher plugin installed and configured with AWS credentials is vulnerable.

📦 What is this software?

S3 Publisher by Jenkins

View all CVEs affecting S3 Publisher →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain AWS credentials, access sensitive S3 data, modify or delete critical files, and potentially pivot to other AWS resources.

🟠

Likely Case

Internal or external attackers capture AWS credentials and access S3 buckets containing sensitive data like backups, logs, or application artifacts.

🟢

If Mitigated

With proper network segmentation and access controls, credential exposure is limited to authorized Jenkins administrators only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to Jenkins configuration pages, typically requiring at least some level of Jenkins user permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.11.5

Vendor Advisory: https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1684

Restart Required: Yes

Instructions:

1. Update Jenkins S3 publisher Plugin to version 0.11.5 or later via Jenkins Plugin Manager. 2. Restart Jenkins. 3. Verify the plugin version in Manage Jenkins > Manage Plugins > Installed tab.

🔧 Temporary Workarounds

Remove AWS credentials from plugin configuration

all

Temporarily remove AWS credentials from the S3 publisher plugin configuration to prevent exposure.

Navigate to Manage Jenkins > Configure System > S3 Profiles section and remove or obfuscate credentials

Restrict access to Jenkins configuration

all

Limit user permissions to only necessary personnel using Jenkins Role-Based Access Control.

Configure permissions via Manage Jenkins > Manage and Assign Roles

🧯 If You Can't Patch

Implement strict network segmentation to isolate Jenkins from the internet and limit internal access.
Use AWS IAM roles instead of static credentials where possible, and rotate any exposed credentials immediately.

🔍 How to Verify

Check if Vulnerable:

Check installed plugin version via Manage Jenkins > Manage Plugins > Installed tab, look for S3 publisher plugin version 0.11.4 or earlier.

Check Version:

Check Jenkins plugin directory or use Jenkins CLI: java -jar jenkins-cli.jar -s http://jenkins-url/ list-plugins | grep s3

Verify Fix Applied:

Verify plugin version is 0.11.5 or later in Manage Jenkins > Manage Plugins > Installed tab, and confirm credentials are no longer visible in plain text in configuration forms.

📡 Detection & Monitoring

Log Indicators:

Unusual access to Jenkins configuration pages, especially from unauthorized IPs or users

Network Indicators:

Traffic to Jenkins configuration endpoints containing base64-encoded credentials in plain text

SIEM Query:

source="jenkins.log" AND ("Configure System" OR "S3 Profiles") AND (user NOT IN ["admin", "authorized_users"])

📊 Metadata

CVE ID: CVE-2020-2114

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-522

Published: February 12, 2020

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2020/02/12/3 Mailing List,Third Party Advisory
https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1684 Vendor Advisory
http://www.openwall.com/lists/oss-security/2020/02/12/3 Mailing List,Third Party Advisory
https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1684 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-2114, you might also want to check these: