CVE-2020-2119

Name of the Vulnerable Software and Affected Versions Jenkins Azure AD Plugin versions 1.1.2 and earlier

Description The issue concerns the transmission of configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. Specifically, the Azure AD Plugin stores a client secret in its global configuration, which, although stored encrypted on disk, is transmitted in plain text by versions 1.1.2 and earlier. This can lead to credential exposure through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Recommendations For Jenkins Azure AD Plugin versions 1.1.2 and earlier, update to version 1.2.0 or later, which transmits the client secret in its global configuration encrypted. As a temporary workaround, consider restricting access to the global Jenkins configuration form to minimize the risk of exposure.