CVE-2020-2212

Name of the Vulnerable Software and Affected Versions Jenkins GitHub Coverage Reporter Plugin versions 1.8 and earlier Jenkins GitHub Coverage Reporter Plugin versions 1.10 and earlier

Description The issue concerns the storage of secrets in plain text in the global configuration file on the Jenkins master. This allows users with access to the master file system or read permissions on the system configuration to view these secrets. Specifically, the GitHub access token is stored unencrypted in the io.jenkins.plugins.gcr.PluginConfiguration.xml file, making it accessible to users with access to the Jenkins controller file system.

Recommendations For Jenkins GitHub Coverage Reporter Plugin versions 1.8 and earlier, update to a version later than 1.8 to ensure secrets are stored securely. For Jenkins GitHub Coverage Reporter Plugin versions 1.10 and earlier, consider restricting access to the io.jenkins.plugins.gcr.PluginConfiguration.xml file until a secure version is available. As a temporary workaround, consider limiting user access to the Jenkins master file system and system configuration to minimize the risk of exploitation.