Cleartext storage of sensitive information in Jenkins Zephyr Enterprise Test Management Plugin
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-2145 |
| CWE-ID | CWE-312 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Zephyr Enterprise Test Management Web applications / Modules and components for CMS |
| Vendor | Jenkins |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Cleartext storage of sensitive information
EUVDB-ID: #VU26015
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2020-2145
CWE-ID:
CWE-312 - Cleartext Storage of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a local user to view the password on the target system.
The vulnerability exists due to the affected software stores its Zephyr password in plain text in the global configuration file "com.thed.zephyr.jenkins.reporter.ZeeReporter.xml". A local user with access to the master file system can obtain
this credential.
Install updates from vendor's website.
Vulnerable software versionsZephyr Enterprise Test Management: 1.0 - 1.9.1
CPE2.3 External linkshttp://www.openwall.com/lists/oss-security/2020/03/09/1
http://jenkins.io/security/advisory/2020-03-09/#SECURITY-1596
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
