CVE-2020-2250

Name of the Vulnerable Software and Affected Versions Jenkins SoapUI Pro Functional Testing Plugin versions 1.3 and earlier ReadyAPI Functional Testing Plugin versions 1.3 and earlier

Description The issue concerns the storage of project passwords in an unencrypted manner within job config.xml files on the Jenkins controller. This allows attackers with Extended Read permission or access to the Jenkins controller file system to view these passwords.

Recommendations For Jenkins SoapUI Pro Functional Testing Plugin versions 1.3 and earlier, consider updating to a version where passwords are stored encrypted. For ReadyAPI Functional Testing Plugin versions 1.3 and earlier, update to version 1.4 and save affected job configurations again to encrypt project passwords. As a temporary workaround, consider restricting access to the Jenkins controller file system and limiting Extended Read permission to minimize the risk of exploitation.