CVE-2020-2154

Name of the Vulnerable Software and Affected Versions Jenkins Zephyr for JIRA Test Management Plugin versions 1.5 and earlier

Description The issue concerns the storage of credentials in plain text in a global configuration file on the Jenkins master file system. Specifically, the Zephyr for JIRA Test Management Plugin stores Jira credentials unencrypted in its global configuration file com.thed.zephyr.jenkins.reporter.ZfjReporter.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Recommendations For versions 1.5 and earlier, consider restricting access to the Jenkins controller file system to minimize the risk of exploitation. As a temporary workaround, restrict access to the global configuration file com.thed.zephyr.jenkins.reporter.ZfjReporter.xml until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.