Insufficiently protected credentials in Project Inheritance - CVE-2020-2198

 

Insufficiently protected credentials in Project Inheritance - CVE-2020-2198

Published: June 4, 2020


Vulnerability identifier: #VU28578
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-2198
CWE-ID: CWE-522
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Jenkins
Affected software:
Project Inheritance

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to sensitive information on the system.

The vulnerability exists due to the affected plugin does not redact encrypted secrets in the "getConfigAsXML" API URL when transmitting job config.xml data to users without Job/Configure. A remote authenticated attacker can gain unauthorized access to sensitive information on the target system.


How to mitigate CVE-2020-2198

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources