CVE-2020-2155

Name of the Vulnerable Software and Affected Versions Jenkins OpenShift Deployer Plugin versions 1.2.0 and earlier

Description The issue is related to the transmission of configured credentials in plain text as part of the global Jenkins configuration form. This potentially results in their exposure. The credentials are stored encrypted on disk in the org.jenkinsci.plugins.openshift.DeployApplication.xml file on the Jenkins controller but are transmitted in plain text as part of the configuration form. This can lead to exposure through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Recommendations For Jenkins OpenShift Deployer Plugin versions 1.2.0 and earlier, consider disabling the transmission of credentials in plain text as a temporary workaround until a patch is available. Restrict access to the global Jenkins configuration form to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.