CVE-2020-2091

Description

A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

Affected products

• Jenkins Project / Jenkins Amazon EC2 Pluginunspecified – 1.47
• Jenkins Project / Jenkins Amazon EC2 Plugin1.46.2 – unspecified
• Jenkins Project / Jenkins Amazon EC2 Plugin1.42.2 – unspecified

References

• MISChttps://jenkins.io/security/advisory/2020-01-15/#SECURITY-1004