CVE-2020-2213

Name of the Vulnerable Software and Affected Versions Jenkins White Source Plugin versions 19.1.1 and earlier Jenkins White Source Plugin versions prior to 20.8.1

Description The issue allows credentials to be stored unencrypted in the global configuration file and in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission or access to the master file system. The credentials are stored in plain text as part of the global configuration file org.whitesource.jenkins.pipeline.WhiteSourcePipelineStep.xml and job config.xml files on the Jenkins controller.

Recommendations For versions 19.1.1 and earlier, update to version 20.8.1 or later to resolve the issue. For versions prior to 20.8.1, update to version 20.8.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the Jenkins controller file system and limiting Extended Read permission to minimize the risk of exploitation.