VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-sa11-2uur-8ybd

Essentials
Severities (28)
References (11)
Severity details (12)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-sa11-2uur-8ybd
Aliases	CVE-2020-2254 GHSA-vq7j-6pcq-f48p
Summary	Path traversal vulnerability in Blue Ocean Plugin Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag, `blueocean.features.GIT_READ_SAVE_TYPE`, that when set to the value `clone` allows an attacker with Item/Configure or Item/Create permission to read arbitrary files on the Jenkins controller file system. Blue Ocean Plugin 1.23.3 no longer includes this feature and redirects existing usage to a safer alternative.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	6.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2254.json
epss	0.02419	https://api.first.org/data/v1/epss?cve=CVE-2020-2254
epss	0.02419	https://api.first.org/data/v1/epss?cve=CVE-2020-2254
epss	0.02419	https://api.first.org/data/v1/epss?cve=CVE-2020-2254
epss	0.02419	https://api.first.org/data/v1/epss?cve=CVE-2020-2254
epss	0.02419	https://api.first.org/data/v1/epss?cve=CVE-2020-2254
epss	0.02419	https://api.first.org/data/v1/epss?cve=CVE-2020-2254
epss	0.02419	https://api.first.org/data/v1/epss?cve=CVE-2020-2254
epss	0.02419	https://api.first.org/data/v1/epss?cve=CVE-2020-2254
epss	0.02419	https://api.first.org/data/v1/epss?cve=CVE-2020-2254
epss	0.02419	https://api.first.org/data/v1/epss?cve=CVE-2020-2254
epss	0.02419	https://api.first.org/data/v1/epss?cve=CVE-2020-2254
epss	0.02419	https://api.first.org/data/v1/epss?cve=CVE-2020-2254
epss	0.02419	https://api.first.org/data/v1/epss?cve=CVE-2020-2254
epss	0.02419	https://api.first.org/data/v1/epss?cve=CVE-2020-2254
epss	0.02419	https://api.first.org/data/v1/epss?cve=CVE-2020-2254
epss	0.02419	https://api.first.org/data/v1/epss?cve=CVE-2020-2254
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-vq7j-6pcq-f48p
cvssv3.1	5.3	https://github.com/jenkinsci/blueocean-plugin
generic_textual	MODERATE	https://github.com/jenkinsci/blueocean-plugin
cvssv3.1	5.3	https://github.com/jenkinsci/blueocean-plugin/commit/f0dd4b68d62ac3c3c85012d6eb0c92bcebf85e12
generic_textual	MODERATE	https://github.com/jenkinsci/blueocean-plugin/commit/f0dd4b68d62ac3c3c85012d6eb0c92bcebf85e12
cvssv3.1	5.3	https://nvd.nist.gov/vuln/detail/CVE-2020-2254
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2020-2254
cvssv3.1	5.3	https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1956
generic_textual	MODERATE	https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1956
cvssv3.1	5.3	http://www.openwall.com/lists/oss-security/2020/09/16/3
generic_textual	MODERATE	http://www.openwall.com/lists/oss-security/2020/09/16/3

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2254.json
		https://api.first.org/data/v1/epss?cve=CVE-2020-2254
		https://github.com/jenkinsci/blueocean-plugin
		https://github.com/jenkinsci/blueocean-plugin/commit/f0dd4b68d62ac3c3c85012d6eb0c92bcebf85e12
		https://nvd.nist.gov/vuln/detail/CVE-2020-2254
		https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1956
		http://www.openwall.com/lists/oss-security/2020/09/16/3
1880456		https://bugzilla.redhat.com/show_bug.cgi?id=1880456
GHSA-vq7j-6pcq-f48p		https://github.com/advisories/GHSA-vq7j-6pcq-f48p
RHSA-2020:4297		https://access.redhat.com/errata/RHSA-2020:4297
RHSA-2020:5102		https://access.redhat.com/errata/RHSA-2020:5102

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2254.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/jenkinsci/blueocean-plugin

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/jenkinsci/blueocean-plugin/commit/f0dd4b68d62ac3c3c85012d6eb0c92bcebf85e12

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2020-2254

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1956

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2020/09/16/3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.85048
EPSS Score	0.02419
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:10:39.895348+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vq7j-6pcq-f48p/GHSA-vq7j-6pcq-f48p.json	38.0.0