Vulnerability Description

On May 6, Jenkins released a security bulletin to announce the fix of nine vulnerabilities in five plug-ins. The SCM Filter Jervis plug-in contains a remote code execution vulnerability (CVE-2020-2189) which is officially identified as high-risk. As the SCM Filter Jervis plug-in does not configure its YAML parser by default, users can configure jobs with the filter or control the contents of a previously configured job’s SCM repository. The Credentials Binding plug-in contains two credential disclosure vulnerabilities (CVE-2020-2181 and CVE-2020-2182); the Copy Artifact plug-in contains an improper permission check vulnerability (CVE-2020-2183); the CVS plug-in contains a cross-site request forgery vulnerability (CVE-2020-2184); the AmazonEC2 plug-in contains four vulnerabilities (CVE-2020-2185, CVE-2020-2186, CVE-2020-2187, and CVE-2020-2188).