PT-2020-15453 · Jenkins · Jenkins Email Extension Plugin+1
Bjoern Kasteleiner
·
Published
2020-08-12
·
Updated
2023-10-25
·
CVE-2020-2232
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Email Extension Plugin versions 2.72 through 2.73
Description
The issue concerns the transmission and display of the SMTP password in plain text as part of the global Jenkins configuration form, potentially resulting in its exposure. The Email Extension Plugin stores the SMTP password in its global configuration file
hudson.plugins.emailext.ExtendedEmailPublisher.xml on the Jenkins controller. Although the password is stored encrypted on disk, it is transmitted and displayed in plain text in the configuration form by affected versions.Recommendations
For Jenkins Email Extension Plugin versions 2.72 and 2.73, update to version 2.74 or later, which transmits the SMTP password encrypted and masks it using a password field.
Fix
Cleartext Transmission of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Email Extension Plugin