CVE-2020-2251

Name of the Vulnerable Software and Affected Versions Jenkins SoapUI Pro Functional Testing Plugin versions 1.5 and earlier ReadyAPI Functional Testing Plugin versions 1.5 and earlier Jenkins versions prior to 2.236, including 2.235.x LTS

Description The issue concerns the transmission of project passwords in plain text as part of job configuration forms, potentially exposing them. This is due to the storage of project passwords in job config.xml files on the Jenkins controller as part of the plugin's configuration. Although passwords are stored encrypted on disk since version 1.4, they are transmitted in plain text by versions 1.5 and earlier. Attackers with Extended Read permission can view these passwords.

Recommendations For Jenkins SoapUI Pro Functional Testing Plugin versions 1.5 and earlier: Update to a version later than 1.5 to ensure passwords are not transmitted in plain text. For ReadyAPI Functional Testing Plugin versions 1.5 and earlier: Update to a version later than 1.5 to prevent plain text transmission of passwords. For Jenkins versions prior to 2.236, including 2.235.x LTS: Update to Jenkins version 2.236 or later to utilize the security hardening that encrypts and decrypts data used for Jenkins password form fields.