SB2020031217 - Cleartext transmission of sensitive information in Jenkins Repository Connector Plugin

Description

This security bulletin contains information about 1 security vulnerability.

1) Cleartext transmission of sensitive information (CVE-ID: CVE-2020-2149)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to software uses insecure communication channel to transmit sensitive information. A remote attacker with ability to intercept network traffic can gain access to sensitive data.

Note: The affected plugin stores credentials in its global configuration file "org.jvnet.hudson.plugins.repositoryconnector.RepositoryConfiguration.xml" on the Jenkins master as part of its configuration.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• http://www.openwall.com/lists/oss-security/2020/03/09/1
• https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1520