PT-2020-15459 · Jenkins · Jenkins Parameterized Trigger Plugin+1
Wasin Saengow
·
Published
2020-09-01
·
Updated
2023-10-25
·
CVE-2020-2239
CVSS v2.0
4.0
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Parameterized Remote Trigger Plugin versions 3.1.3 and earlier
Description
The issue concerns the storage of a secret in an unencrypted form within the global configuration file on the Jenkins controller. Specifically, the secret is stored in the
org.jenkinsci.plugins.ParameterizedRemoteTrigger.RemoteBuildConfiguration.xml file. This allows attackers with access to the Jenkins controller file system to view the secret.Recommendations
For Jenkins Parameterized Remote Trigger Plugin versions 3.1.3 and earlier, update to version 3.1.4 or later to ensure the secret is stored encrypted after re-saving the configuration.
As a temporary workaround, consider restricting access to the Jenkins controller file system to minimize the risk of exploitation.
Fix
Missing Encryption of Sensitive Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jenkins
Jenkins Parameterized Trigger Plugin