CVE-2020-2125

Name of the Vulnerable Software and Affected Versions Jenkins Debian Package Builder Plugin versions 1.6.11 and earlier

Description The issue concerns the storage of a GPG passphrase in an unencrypted manner within the global configuration file on the Jenkins master or controller. This file can be accessed by users with privileges to the master or controller file system, potentially exposing the credential. The specific configuration file affected is ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml.

Recommendations For Jenkins Debian Package Builder Plugin versions 1.6.11 and earlier, consider restricting access to the Jenkins master or controller file system to minimize the risk of the GPG passphrase being viewed by unauthorized users. As a temporary workaround, limit the privileges of users who have access to the master or controller file system. At the moment, there is no information about a newer version that contains a fix for this vulnerability.