CVE-2020-2153

Name of the Vulnerable Software and Affected Versions Jenkins Backlog Plugin versions 2.4 and earlier

Description The issue concerns the transmission of configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure. Credentials are stored encrypted on disk but are transmitted in plain text as part of the configuration form. These credentials could be viewed by users with Extended Read permission.

Recommendations For Jenkins Backlog Plugin versions 2.4 and earlier, consider updating to a version that addresses this issue, as the current version transmits credentials in plain text. As a temporary workaround, consider restricting access to job configuration forms to minimize the risk of credential exposure. Restrict users with Extended Read permission from accessing sensitive job configurations to prevent potential credential viewing. At the moment, there is no information about a newer version that contains a fix for this vulnerability.