Cleartext transmission of sensitive information in SoapUI Pro Functional Testing - CVE-2020-2251

 

Cleartext transmission of sensitive information in SoapUI Pro Functional Testing - CVE-2020-2251

Published: September 2, 2020 / Updated: October 2, 2020


Vulnerability identifier: #VU46222
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-2251
CWE-ID: CWE-319
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Jenkins
Affected software:
SoapUI Pro Functional Testing

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to affected plugin stores project passwords in job "config.xml" files on the Jenkins controller as part of its configuration. A remote user with Extended Read permission can gain access to sensitive data.


How to mitigate CVE-2020-2251

Install update from vendor's website.

Sources