PT-2020-15356 · Jenkins · Jenkins Zephyr Enterprise Test Management Plugin+2
James Holderness
·
Published
2020-03-09
·
Updated
2023-10-25
·
CVE-2020-2145
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Zephyr Enterprise Test Management Plugin versions 1.9.1 and earlier
Description
The issue concerns the storage of the Zephyr password in plain text on the Jenkins master file system, specifically in the global configuration file
com.thed.zephyr.jenkins.reporter.ZeeReporter.xml. This allows users with access to the Jenkins controller file system to view the password.Recommendations
For Jenkins Zephyr Enterprise Test Management Plugin versions 1.9.1 and earlier, update to version 1.10, which integrates with the Credentials Plugin to securely store the Zephyr password.
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Credentials Plugin
Jenkins
Jenkins Zephyr Enterprise Test Management Plugin