CVE-2020-2210

Name of the Vulnerable Software and Affected Versions Jenkins Stash Branch Parameter Plugin versions 0.3.0 and earlier

Description The issue concerns the transmission of configured passwords in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. This occurs because the Stash Branch Parameter Plugin stores Stash API passwords in its global configuration file org.jenkinsci.plugins.StashBranchParameter.StashBranchParameterDefinition.xml on the Jenkins controller. Although the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form. This can lead to password exposure through browser extensions, cross-site scripting vulnerabilities, and similar situations. The issue affects Jenkins versions before 2.236, including 2.235.x LTS, due to the lack of transparent encryption and decryption of data used for a Jenkins password form field, which is introduced in Jenkins 2.236.

Recommendations For Jenkins Stash Branch Parameter Plugin versions 0.3.0 and earlier, consider disabling the plugin until a patch is available to prevent the transmission of configured passwords in plain text. For Jenkins versions before 2.236, including 2.235.x LTS, update to Jenkins 2.236 or later to benefit from the security hardening that transparently encrypts and decrypts data used for a Jenkins password form field.