PT-2020-15542 · Jenkins · Jenkins Sqlplus Script Runner Plugin+1
Chris Maggiulli
·
Published
2020-11-04
·
Updated
2023-10-25
·
CVE-2020-2312
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins SQLPlus Script Runner Plugin versions 2.0.12 and earlier
Description
The issue concerns the Jenkins SQLPlus Script Runner Plugin, where a password provided as a command line argument is not masked in build logs. This allows users with Item/Read permission to view the password, as it is printed in the build logs along with the
sqlplus command invocation.Recommendations
For Jenkins SQLPlus Script Runner Plugin versions 2.0.12 and earlier, update to version 2.0.13 or later to resolve the issue, as it no longer prints the password in the build logs.
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Sqlplus Script Runner Plugin