CVE-2020-2208

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Slack Upload Plugin versions 1.7 and earlier

Description The issue allows users with Extended Read permission, or access to the master file system, to view a secret stored unencrypted in job config.xml files on the Jenkins master.

Recommendations For Jenkins Slack Upload Plugin versions 1.7 and earlier, consider restricting access to the master file system and limiting Extended Read permissions to minimize the risk of exploitation. As a temporary workaround, consider encrypting sensitive data stored in job config.xml files until a more permanent solution is available.

Fix

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-256CWE-522

Related Identifiers

CVE-2020-2208

GHSA-656G-HF8V-X2RW

Affected Products

Jenkins

Jenkins Slack Upload Plugin

CVE-2020-2208

Weakness Enumeration

Related Identifiers

Affected Products

References · 7