SB2020050720 - Multiple vulnerabilities in Jenkins Credentials Binding plugin

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020050720

SB2020050720 - Multiple vulnerabilities in Jenkins Credentials Binding plugin

Published: May 7, 2020

Security Bulletin ID SB2020050720
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Insufficiently protected credentials (CVE-ID: CVE-2020-2181)

The vulnerability allows a remote attacker to gain access to sensitive information on the system.

The vulnerability exists due to the affected plugin does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps. A remote authenticated attacker can gain unauthorized access to sensitive information on the target system.


2) Insufficiently protected credentials (CVE-ID: CVE-2020-2182)

The vulnerability allows a remote attacker to gain access to sensitive information on the system.

The vulnerability exists due to the affected plugin does not mask (i.e., replace with asterisks) secrets containing a `$` character in some circumstances. A remote authenticated attacker can gain unauthorized access to sensitive information on the target system.


Remediation

Install update from vendor's website.

References