PT-2020-15412 · Jenkins · Jenkins Project Inheritance Plugin+1
Daniel Beck
+1
·
Published
2020-06-03
·
Updated
2023-10-25
·
CVE-2020-2198
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Project Inheritance Plugin versions 21.04.03 and earlier
Description
The issue concerns the transmission of job config.xml data to users without proper Job/Configure permissions. Specifically, it does not redact encrypted secrets in the "getConfigAsXML" API endpoint when sending this data. This could potentially expose sensitive information.
Recommendations
For Jenkins Project Inheritance Plugin versions 21.04.03 and earlier, consider restricting access to the "getConfigAsXML" API endpoint until a fix is available. As a temporary workaround, limit the transmission of job config.xml data to only those users with the necessary Job/Configure permissions.
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Project Inheritance Plugin