CVE-2020-2149

Name of the Vulnerable Software and Affected Versions Jenkins Repository Connector Plugin versions 1.2.6 and earlier

Description The issue concerns the transmission of configured credentials in plain text as part of the global Jenkins configuration form. Although credentials are stored encrypted on disk in the org.jvnet.hudson.plugins.repositoryconnector.RepositoryConfiguration.xml file on the Jenkins controller, they are sent in plain text when the configuration form is transmitted. This could lead to credential exposure through various means, including browser extensions and cross-site scripting vulnerabilities.

Recommendations For Jenkins Repository Connector Plugin versions 1.2.6 and earlier, consider updating to a version that addresses this issue, as the current version transmits credentials in plain text. At the moment, there is no information about a newer version that contains a fix for this vulnerability.