CVE-2020-2143

Name of the Vulnerable Software and Affected Versions Jenkins Logstash Plugin versions 2.3.1 and earlier

Description The issue concerns the transmission of configured credentials in plain text as part of the global Jenkins configuration form. This potentially results in their exposure through various means, such as browser extensions or cross-site scripting vulnerabilities. The credentials are stored encrypted on disk but are transmitted in plain text by versions 2.3.1 and earlier of the Logstash Plugin.

Recommendations For Jenkins Logstash Plugin versions 2.3.1 and earlier, update to version 2.3.2 or later, which transmits the credentials in its global configuration encrypted. As a temporary workaround, consider restricting access to the global configuration form to minimize the risk of credential exposure.