CVE-2020-2320 – CVE-2020-2320 is a critical vulnerability in Je... (How to Fix)

Q: What is the severity of CVE-2020-2320?

CVE-2020-2320 has a CVSS score of 9.8 (CRITICAL). CVE-2020-2320 is a critical vulnerability in Jenkins Plugin Installation Manager Tool 2.1.3 and earlier that fails to verify plugin downloads, allowing attackers to supply malicious plugins. This enables remote code execution on Jenkins servers. All Jenkins instances using the vulnerable Plugin Installation Manager Tool are affected.

📋 TL;DR

CVE-2020-2320 is a critical vulnerability in Jenkins Plugin Installation Manager Tool 2.1.3 and earlier that fails to verify plugin downloads, allowing attackers to supply malicious plugins. This enables remote code execution on Jenkins servers. All Jenkins instances using the vulnerable Plugin Installation Manager Tool are affected.

💻 Affected Systems

Products:

Jenkins Plugin Installation Manager Tool

Versions: 2.1.3 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Jenkins installations using the Plugin Installation Manager Tool for plugin management.

📦 What is this software?

Installation Manager Tool by Jenkins

View all CVEs affecting Installation Manager Tool →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of Jenkins server with attacker gaining complete control, data exfiltration, lateral movement, and persistence.

🟠

Likely Case

Remote code execution leading to unauthorized access, data theft, and potential ransomware deployment.

🟢

If Mitigated

Limited impact if network segmentation and strict access controls prevent external plugin installation attempts.

🌐 Internet-Facing: HIGH - Internet-facing Jenkins servers are directly exploitable without authentication.

🏢 Internal Only: HIGH - Internal Jenkins servers remain vulnerable to internal attackers or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires tricking Jenkins into downloading a malicious plugin, which can be achieved through man-in-the-middle attacks or compromised update servers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Jenkins Plugin Installation Manager Tool 2.1.4

Vendor Advisory: https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-1856

Restart Required: Yes

Instructions:

1. Update Jenkins to version 2.263 or later. 2. Update Plugin Installation Manager Tool to 2.1.4 or later. 3. Restart Jenkins service.

🔧 Temporary Workarounds

Disable Plugin Installation Manager Tool

all

Temporarily disable the vulnerable component until patching is possible

# Remove or rename the plugin installation manager tool directory
mv /path/to/plugin-installation-manager-tool /path/to/plugin-installation-manager-tool.disabled

Network Segmentation

linux

Restrict Jenkins server network access to prevent external plugin downloads

# Configure firewall to block Jenkins from downloading plugins from external sources
iptables -A OUTPUT -p tcp --dport 443 -d update.jenkins.io -j DROP

🧯 If You Can't Patch

Implement strict network controls to prevent Jenkins from downloading plugins from untrusted sources
Disable automatic plugin updates and only install plugins from verified internal repositories

🔍 How to Verify

Check if Vulnerable:

Check Jenkins version and Plugin Installation Manager Tool version in Jenkins web interface under Manage Jenkins > About Jenkins

Check Version:

java -jar jenkins.war --version

Verify Fix Applied:

Verify Jenkins version is 2.263+ and Plugin Installation Manager Tool is 2.1.4+ in About Jenkins page

📡 Detection & Monitoring

Log Indicators:

Unexpected plugin installation attempts
Plugin downloads from unusual sources
Errors in plugin verification

Network Indicators:

Jenkins server downloading plugins from non-standard update servers
Unusual outbound connections during plugin installation

SIEM Query:

source="jenkins.log" AND ("plugin install" OR "plugin download") AND NOT source="update.jenkins.io"

📊 Metadata

CVE ID: CVE-2020-2320

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-494

Published: December 3, 2020

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2020/12/03/2 Third Party Advisory
https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-1856 Vendor Advisory
http://www.openwall.com/lists/oss-security/2020/12/03/2 Third Party Advisory
https://www.jenkins.io/security/advisory/2020-12-03/#SECURITY-1856 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-2320, you might also want to check these: