#VU28578 Insufficiently protected credentials in Project Inheritance - CVE-2020-2198
Published: June 4, 2020
Vulnerability identifier: #VU28578
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-2198
CWE-ID: CWE-522
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Project Inheritance
Project Inheritance
Software vendor:
Jenkins
Jenkins
Description
The vulnerability allows a remote attacker to gain access to sensitive information on the system.
The vulnerability exists due to the affected plugin does not redact encrypted secrets in the "getConfigAsXML" API URL when transmitting job config.xml data to users without Job/Configure. A remote authenticated attacker can gain unauthorized access to sensitive information on the target system.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.