CVE-2020-2095

Name of the Vulnerable Software and Affected Versions Jenkins Redgate SQL Change Automation Plugin versions 2.0.4 and earlier

Description The issue concerns the storage of an API key in an unencrypted form in job config.xml files on the Jenkins master. This allows users with Extended Read permission or access to the master file system to view the key. The problem arises from an incomplete fix of a previous security issue. It is estimated that this could potentially affect a significant number of devices, but the exact number is not specified. There is no information provided about real-world incidents where this issue was exploited.

Recommendations For versions 2.0.4 and earlier, update to version 2.0.5 or later, which stores the API key encrypted. Additionally, for existing jobs, save their configuration to overwrite existing plain text passwords. As a temporary workaround, consider restricting access to the Jenkins master file system and limiting Extended Read permissions to minimize the risk of exploitation.