CVE-2020-2156

Name of the Vulnerable Software and Affected Versions Jenkins DeployHub Plugin versions 8.0.14 and earlier

Description The issue concerns the transmission of configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure. The credentials are stored encrypted on disk in config.xml files but are transmitted in plain text by the DeployHub Plugin. This could allow users with Extended Read permission to view these credentials.

Recommendations For Jenkins DeployHub Plugin versions 8.0.14 and earlier, consider restricting access to the job configuration forms to minimize the risk of credential exposure. As a temporary workaround, limit the permissions of users to prevent those with Extended Read permission from accessing sensitive information. At the moment, there is no information about a newer version that contains a fix for this vulnerability.